Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With A.doginhispen And B.whataboutadog


  • This topic is locked This topic is locked
12 replies to this topic

#1 msimme

msimme

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 06 November 2007 - 09:58 AM

Hello! This is my first post. While looking at my history file, I noticed the 2 websites mentioned in my topic (a.doginhispen and b.whataboutadog). There were also registry entries added. It had been in my history for over 3 weeks. My McAfee antivirus and AVG antivirus did not detect it. I spent 6 hours with McAfee techs yesterday. They did not explain what they were doing and disconnected me when I asked questions. The sites are not showing up in my history yet today, but I am concerned about the numerous files that I saw the McAfee tech delete. They did not restore anything like I have seen mentioned in prior posts. Could you take alook at my hijack this log and my AWF log and see what you think? I also have a hijack this log and AWF log from yesterday, before the techs got on my computer if you would like to see those.


AWF Log from this morning

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 11/06/2007
The current time is: 9:30:52.21


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 03:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 11:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 07:00 AM 15,360 ctfmon.exe
02/05/1998 02:16 PM 24,576 NILaunch.exe
03/11/2004 12:26 AM 406,016 PSDrvCheck.exe
3 File(s) 445,952 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

09/21/2005 12:41 PM 1,605,740 HPBootOp.exe
1 File(s) 1,605,740 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE\MBK\BAK

01/08/2007 10:22 AM 20,480 LogOnHook.exe
01/16/2007 12:59 PM 4,838,952 McAfeeDataBackup.exe
2 File(s) 4,859,432 bytes

Directory of C:\PROGRA~1\PINNACLE\PPE\BAK

02/03/2004 02:13 PM 49,152 PPE.EXE
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

01/12/2006 04:40 PM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/11/2005 04:16 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 19 2007 "C:\!KillBox\kbd.exe"
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
26636 Oct 19 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Oct 11 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Oct 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
26636 Oct 19 2007 "C:\!KillBox\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
26636 Oct 19 2007 "C:\!KillBox\nilaunch.exe"
24576 Feb 5 1998 "C:\Program Files\Net-It Now! Starter Edition\NTPrint\NILaunch.exe"
24576 Feb 5 1998 "C:\WINDOWS\system32\bak\NILaunch.exe"
26636 Oct 19 2007 "C:\!KillBox\psdrvcheck.exe"
406016 Mar 11 2004 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
26636 Oct 19 2007 "C:\!KillBox\hpbootop.exe"
1605740 Sep 21 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
26636 Oct 19 2007 "C:\!KillBox\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
531 Oct 18 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-340133428.xml"
324 Nov 2 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-225470946.xml"
26636 Oct 19 2007 "C:\!KillBox\hpwuschd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
20480 Jan 8 2007 "C:\!KillBox\logonhook.exe"
20480 Jan 8 2007 "C:\Program Files\McAfee\MBK\bak\LogOnHook.exe"
4838952 Jan 16 2007 "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
4838952 Jan 16 2007 "C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe"
26636 Oct 19 2007 "C:\!KillBox\ppe.exe"
49152 Feb 3 2004 "C:\Program Files\Pinnacle\PPE\bak\PPE.EXE"
26636 Oct 19 2007 "C:\!KillBox\adobeupdatemanager.exe"
45760 Jul 5 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
26636 Oct 19 2007 "C:\!KillBox\nerocheck.exe"
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
26636 Oct 19 2007 "C:\!KillBox\realsched.exe"
180269 Nov 11 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 19 2007 "C:\!KillBox\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report

Hijack This Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:16 AM, on 11/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ImageMixer for HDD Camcorder.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dasd5.dasd.org/qp2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...155/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9071 bytes


I really would appreciate your help. I am concerned that I may have lost some functionality in my applications. Also,
is there any way to tell if the data on my computer was compromised by this trojan? Do I have security concerns?

Thank you again for your help

Mary

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 08 November 2007 - 12:23 AM

Hello Mary,

I am SifuMike and I will be helping you.

I really would appreciate your help. I am concerned that I may have lost some functionality in my applications.



Yes, you have lost many applications; however, they have been backuped so we can restore them.

Also,
is there any way to tell if the data on my computer was compromised by this trojan? Do I have security concerns?


The list of compromised programs is below. No, I dont think your antivirus has been affected.



Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\hp\KBD\bak\KBD.EXE"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NILaunch.exe"
"C:\WINDOWS\system32\bak\PSDrvCheck.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\hpcoretech\bak\data\EvntData-225470946.xml"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\McAfee\MBK\bak\LogOnHook.exe"
"C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe"
"C:\Program Files\Pinnacle\PPE\bak\PPE.EXE"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.

Edited by SifuMike, 08 November 2007 - 12:37 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 msimme

msimme
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 08 November 2007 - 06:04 AM

Hello SifuMike!

Thank you so much for your help! I did as you instructed and here is the new AWF log file.


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 11/08/2007
The current time is: 5:51:37.00


bak folders found
~~~~~~~~~~~


Directory of C:\HP\KBD\BAK

02/02/2005 03:44 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 11:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/10/2004 07:00 AM 15,360 ctfmon.exe
02/05/1998 02:16 PM 24,576 NILaunch.exe
03/11/2004 12:26 AM 406,016 PSDrvCheck.exe
3 File(s) 445,952 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

09/21/2005 12:41 PM 1,605,740 HPBootOp.exe
1 File(s) 1,605,740 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MCAFEE\MBK\BAK

01/08/2007 10:22 AM 20,480 LogOnHook.exe
01/16/2007 12:59 PM 4,838,952 McAfeeDataBackup.exe
2 File(s) 4,859,432 bytes

Directory of C:\PROGRA~1\PINNACLE\PPE\BAK

02/03/2004 02:13 PM 49,152 PPE.EXE
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~1.0\READER\BAK

03/30/2006 03:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes

Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

01/12/2006 04:40 PM 155,648 NeroCheck.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

11/11/2005 04:16 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

26636 Oct 19 2007 "C:\!KillBox\kbd.exe"
61440 Feb 2 2005 "C:\hp\KBD\KBD.EXE"
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.EXE"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 6 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 6 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
26636 Oct 19 2007 "C:\!KillBox\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 10 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
26636 Oct 19 2007 "C:\!KillBox\nilaunch.exe"
24576 Feb 5 1998 "C:\WINDOWS\system32\NILaunch.exe"
24576 Feb 5 1998 "C:\Program Files\Net-It Now! Starter Edition\NTPrint\NILaunch.exe"
24576 Feb 5 1998 "C:\WINDOWS\system32\bak\NILaunch.exe"
26636 Oct 19 2007 "C:\!KillBox\psdrvcheck.exe"
406016 Mar 11 2004 "C:\WINDOWS\system32\PSDrvCheck.exe"
406016 Mar 11 2004 "C:\WINDOWS\system32\bak\PSDrvCheck.exe"
26636 Oct 19 2007 "C:\!KillBox\hpbootop.exe"
1605740 Sep 21 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
1605740 Sep 21 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
26636 Oct 19 2007 "C:\!KillBox\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
531 Oct 18 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-340133428.xml"
324 Nov 2 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-225470946.xml"
26636 Oct 19 2007 "C:\!KillBox\hpwuschd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
20480 Jan 8 2007 "C:\!KillBox\logonhook.exe"
20480 Jan 8 2007 "C:\Program Files\McAfee\MBK\LogOnHook.exe"
20480 Jan 8 2007 "C:\Program Files\McAfee\MBK\bak\LogOnHook.exe"
4838952 Jan 16 2007 "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
4838952 Jan 16 2007 "C:\Program Files\McAfee\MBK\bak\McAfeeDataBackup.exe"
26636 Oct 19 2007 "C:\!KillBox\ppe.exe"
49152 Feb 3 2004 "C:\Program Files\Pinnacle\PPE\PPE.EXE"
49152 Feb 3 2004 "C:\Program Files\Pinnacle\PPE\bak\PPE.EXE"
26636 Oct 19 2007 "C:\!KillBox\adobeupdatemanager.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
45760 Jul 5 2007 "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
26636 Oct 19 2007 "C:\!KillBox\nerocheck.exe"
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
26636 Oct 19 2007 "C:\!KillBox\realsched.exe"
180269 Nov 11 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 11 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 19 2007 "C:\!KillBox\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"


end of report

Again, thank you. I really appreciate the fact that you explain why to do each step. Did this trojan have access to any data from my computer?

Mary

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 08 November 2007 - 11:38 AM

Hi Mary,

26636 Oct 19 2007 "C:\!KillBox\ppe.exe"
26636 Oct 19 2007 "C:\!KillBox\kbd.exe"
26636 Oct 19 2007 "C:\!KillBox\qttask.exe
26636 Oct 19 2007 "C:\!KillBox\nerocheck.exe"
26636 Oct 19 2007 "C:\!KillBox\hpwuschd2.exe"
20480 Jan 8 2007 "C:\!KillBox\logonhook.exe"
26636 Oct 19 2007 "C:\!KillBox\psdrvcheck.exe"
26636 Oct 19 2007 "C:\!KillBox\hpbootop.exe"
26636 Oct 19 2007 "C:\!KillBox\hpcmpmgr.exe"
26636 Oct 19 2007 "C:\!KillBox\hpwuschd2.exe"
20480 Jan 8 2007 "C:\!KillBox\logonhook.exe"


Why were you using with Killbox to delete these files? :thumbsup:
Were you working with another forum?

Killbox is an advanced tool and should NOT be used without expert guidenece.
You start deleting system files and your computer will not ever boot and you will have to reformat and realod.



Did this trojan have access to any data from my computer?


No, it did not acesses data. When we have you completed clean, I recommend you change you passwords. That should be done frequently.


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Reboot your computer <==== Important

Let me know when you have complete the above, and then we will continue.

Edited by SifuMike, 08 November 2007 - 01:42 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 msimme

msimme
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 08 November 2007 - 04:07 PM

"Why were you using with Killbox to delete these files?
Were you working with another forum?"

As I said in my first post, I started out with McAfee's technical support. Their technician remotely controlled my computer and downloaded killbox and used it to delete files. When I asked him about restoring the files, he disconnected me. Very disappointing. I so appreciate your help and your explanations of things you do.

I ran ATF cleaner and rebooted my machine. I am now waiting for your instructions.

Thanks
Mary

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 08 November 2007 - 05:08 PM

Hello Mary,

As I said in my first post, I started out with McAfee's technical support. Their technician remotely controlled my computer and downloaded killbox and used it to delete files. When I asked him about restoring the files, he disconnected me. Very disappointing. I so appreciate your help and your explanations of things you do.



Sounds like McAfee's technical support does not have a clue as to the way to remove the trojan and restore you files. :thumbsup:



Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\system32\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\McAfee\MBK\bak
C:\Program Files\Pinnacle\PPE\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\Ahead\Lib\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 msimme

msimme
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 08 November 2007 - 06:08 PM

You are right about the McAfee techs. That was a waste of money. They also used a program called autorun. After they deleted files, they were using autorun to delete any instructions that called for those files. That is where I stopped them. It just didn't seem right.

Here is the new AWF log.

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/08/2007
The current time is: 17:57:43.81


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

531 Oct 18 2007 "C:\Program Files\HP\hpcoretech\data\EvntData-340133428.xml"
324 Nov 2 2007 "C:\Program Files\HP\hpcoretech\bak\data\EvntData-225470946.xml"


end of report

Thanks
Mary

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 08 November 2007 - 06:38 PM

Hello Mary,

Looks good. :thumbsup:


Now run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


Now we run ComboFix.



If you have used Combofix before, please delete the version you are having and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
 Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix  log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.
 
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 msimme

msimme
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 08 November 2007 - 07:34 PM

Ok we are moving right along. Here is the combo fix log


ComboFix 07-11-08.1 - Compaq_Administrator 2007-11-08 19:09:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.451 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-08 19:08 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 05:51 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2007-11-08 05:51 24,576 --a------ C:\WINDOWS\system32\NILaunch.exe
2007-11-05 20:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2007-11-05 18:36 <DIR> d-------- C:\WINDOWS\pss
2007-11-05 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-11-05 16:52 <DIR> d-------- C:\sdat
2007-11-05 16:52 23,264,988 --a------ C:\sdat5156.exe
2007-11-05 16:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-05 16:17 3,978 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-05 16:11 61,480 --a------ C:\Documents and Settings\Compaq_Administrator\GoToAssistDownloadHelper.exe
2007-11-05 15:29 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-05 13:44 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-11-05 09:04 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\AVG7
2007-11-05 09:03 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-11-05 09:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-11-05 07:50 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-11 20:03 <DIR> d-------- C:\Program Files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 22:57 --------- d-----w C:\Program Files\QuickTime
2007-11-06 17:19 --------- d-----w C:\Program Files\iPod
2007-11-05 00:34 --------- d-----w C:\Program Files\Java
2007-10-24 12:37 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Viewpoint
2007-10-24 12:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-24 00:43 --------- d-----w C:\Program Files\AIM6
2007-10-24 00:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-21 14:41 --------- d-----w C:\Program Files\Calendar Creator 6.0
2007-10-20 11:37 --------- d-----w C:\Program Files\McAfee
2007-10-08 19:40 201,728 ----a-w C:\WINDOWS\system32\Pumpkin Carving.scr
2007-10-05 19:23 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\WinBatch
2007-09-26 20:43 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\McAfee
2007-09-26 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-09-26 20:38 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-26 20:36 --------- d-----w C:\Program Files\McAfee.com
2007-09-26 20:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-09-22 23:50 --------- d-----w C:\Program Files\Apple Software Update
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2005-05-12 14:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-02-03 00:41:28 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"PCDrProfiler"="" []
"NWEReboot"="" []
"McAfee Backup"="C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe" [2007-01-16 12:59]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 23:56]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 02:19 C:\WINDOWS\arpwrmsg.exe]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [2007-01-08 10:22]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 07:00]
"Aim6"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-24 01:05:26]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2005-11-11 16:32:23]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 22:31:38]
ImageMixer for HDD Camcorder.lnk - C:\Program Files\PIXELA\ImageMixer for HDD Camcorder\IMx3Launcher.exe [2007-01-28 20:22:44]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys
S3 Intuit Fuse Service;Intuit Fuse Service;"C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe"
S3 IPN2120;Wireless-B PCI Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSIPNDS.sys
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 23:39:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-26 20:36:37 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-26 20:36:35 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 19:13:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\erdnt

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2007-11-08 19:14:25
.
--- E O F ---




Here is the new Hijack This Log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:57 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\ehome\ehtray.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\HPZinw12.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfee Backup] C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: ImageMixer for HDD Camcorder.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://dasd5.dasd.org/qp2.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqcpc/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...155/mcfscan.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 9165 bytes



Hope things still look good! Thanks so much!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 08 November 2007 - 11:20 PM

Hi Mary,

Your log looks clean! :thumbsup: Good job on the cleanup!


Delete FindAWF from your desktop, as we are done with it.


Uninstall ComboFix, go to to Start > Run & type in ComboFix /u
Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.

Edited by SifuMike, 08 November 2007 - 11:22 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 msimme

msimme
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:28 PM

Posted 09 November 2007 - 09:24 AM

Thank you for all of your help. I really appreciate it!

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 09 November 2007 - 11:58 AM

You are welcome. :thumbsup: I hope your computer continues to run smoothly for you.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:28 PM

Posted 14 November 2007 - 10:41 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users