Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Whataboutadog, Trojan.zonebac, And Other Malware Removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 Ravyn77

Ravyn77

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 10:28 AM

It all started with a blue screen that kept shutting down my computer in August. Nobody could fix it, and the people at Dell (this is a Dell laptop) finally had me to restore windows (hoping I am using the right terminology here). Not knowing computers that well, I thought that all was well. Some Apoint dll error at startup kept failing when I turned the laptop on, but I ignored it. My school (I am a student) set my computer up to scan for viruses once a week. I had windows automatically checking for updates and installing them every so often, and didn't realize a bunch of them weren't installing properly. Also, my IE6 windows kept closing unexpectedly. Downloaded and ran Spybot, kept finding and repairing DeepDive. Realized the non-installing updates may also be a problem this past weekend, searched the internet, found out the problem, and all the updates were installed. Now, IE7 (that I just installed) kept closing with an error, or links I clicked on gave a weird error. Realized none of my antivirus checkers were up to date, so I updated them and ran them. All kinds of Trojans came up, that I tried to fix using my Symantec and the instructions on their website. Started searching the internet for the errors I was getting. Learned about you guys, and here I am.

Lastnight, Symantec said it cleaned Trojan.zonebac and others. It said it found something in Apoint.exe but couldn't fixit and left it alone, but when I run Symantec again it doesn't come up. In the log it said there were tons of omissions, but I don't know why. Spybot keeps finding deepdive and repairing it. Before I read more and found out I maybe shouldn't have, I ran HJT and "fixed" a few things I looked up online and found to be bad, like whataboutadog, which kept coming back up in new logs after I fixed it. It even came back after I "fixed" it with System Restore disabled. Of course, the log I ran just now has it missing so it looks like I made this up or something. I saved some of the older logs...it was there all day and night yesterday, I promise.

Per instructions on this site, I tried running Panda active scan, but after it updated, I got an error and it wouldn't scan. I even ran adaware, which finished fine, but when I tried to let it remove things, I got this error and then it shut down:

Component:
TVirtualStringTree

Message:
Access violation at address 005382E2 module ‘Ad-Aware 2007.exe’. Read of address 0000000D.

I think that's all I know about my problems. Sorry if I gave too many details. Below is my HJT log. Thanks in advance for trying to help.

[Addendum: After trying to post this to your forum, I learned I've been using an old version of HJT. Perfect. Just fixed that and got the right one. The "corrected" HJT log is below.]
_____________________________________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22:41 AM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GC75-Mgr-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Mgr.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: JHSecure VPN Client.lnk = C:\Program Files\JHSecure\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118415753796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194035216015
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\JHSecure\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10654 bytes

BC AdBot (Login to Remove)

 


m

#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 11:52 AM

Hello Ravyn77,

Welcome to Bleeping Computer :thumbsup:

# *Please download FindAWF by noahdfear and save it to your desktop:

# Please double-click FindAWF.exe to run it.
# If a security alert shows, allow the program to run.
# When the tool has completed, a report will open in Notepad.
# Please post the results of the awf.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 12:15 PM

Thanks so much for your quick reply.

Things I forgot to mention:
1. I've had the TeaTimer running, and when it first started asking me to allow stuff, I basically flipped a coin to decide what to do. It keeps asking me to make decisions I'm not equipped to make...so I may have made some mistakes. Then I got scared and always said no. And this point, I exit it when I turn on my computer before it asks me anything.

2. The last HJT log was before I rebooted after scanning and fixing with the other stuff, so the whataboutadog may be hiding out waiting to bite me again. I just rebooted before the log below...that's what took me so long.

3. I've done all this stuff with System Restore off. It's still off. Hopefully that's ok.

OK, below is my interpretation of what you asked for. I told it to scan for bak files, because it gave me these four choices on a blue screen and I wasn't sure which was right:

1. scan for bak folders
2. restore files from bak folders
3. remove bak folders
4. reset domain zones

Did I do it right?

_________________________________________________________________________

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Thu 11/08/2007
The current time is: 12:13:47.35


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

09/13/2004 04:33 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

12/30/2004 01:19 PM 120,640 VPTray.exe
1 File(s) 120,640 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/12/2004 08:18 AM 15,360 ctfmon.exe
02/15/2005 03:02 PM 126,976 hkcmd.exe
02/15/2005 03:02 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/10/2004 05:02 PM 67,184 ccApp.exe
1 File(s) 67,184 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/26/2004 08:04 AM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\MAXTOR\MANAGE~1\BAK

08/11/2006 07:45 AM 712,704 Onetouch.exe
1 File(s) 712,704 bytes

Directory of C:\PROGRA~1\MAXTOR\ONETOU~1\BAK

08/11/2006 10:15 AM 81,920 maxmenumgr.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/05/2006 04:39 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SONYER~1\WIRELE~1\BAK

12/20/2004 09:25 PM 770,141 GC75Mgr.exe
1 File(s) 770,141 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

12/06/2004 01:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/17/2007 03:40 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/30/2004 02:59 PM 385,024 ifrmewrk.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Sep 13 2004 "C:\drivers\mouse\onboard\Apoint.exe"
155648 Sep 13 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 2 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
120640 Dec 30 2004 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
120640 Dec 30 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 12 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 12 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Feb 15 2005 "C:\drivers\video\onboard\hkcmd.exe"
126976 Feb 15 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Feb 15 2005 "C:\drivers\video\onboard\igfxtray.exe"
155648 Feb 15 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
712704 Aug 11 2006 "C:\Program Files\Maxtor\ManagerApp\bak\Onetouch.exe"
81920 Aug 11 2006 "C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe"
81920 Aug 11 2006 "C:\Program Files\Maxtor\OneTouch Status\bak\maxmenumgr.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
770141 Dec 20 2004 "C:\Program Files\Sony Ericsson\Wireless Manager\bak\GC75Mgr.exe"
127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Dec 6 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185896 Jan 17 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

#4 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 12:21 PM

Sorry, keep forgetting stuff (I've been dealing with this for almost 24 hrs straight...those scans take forever)...

When I did the symantec repair per the instructions at this site:
http://www.symantec.com/security_response/...-99&tabid=3

I did it all except #5, restore the backup file. I didn't understand how to do, so I got scared and left it alone and prayed that I didn't screw up the registry. Not sure if I screwed it up anyway, but thought you should know.

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 12:35 PM

Hi,

Just relax a bit, K? :thumbsup: We'll get it taken care of. First off, PLEASE turn on System Restore. What if something goes wrong and we need it? Better to have a dirty restore point than none at all, right?

Let me put this together while you get system restore back on, and I'll get right back to you.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 12:40 PM

Okay, here we go :thumbsup:

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\Apoint\bak\Apoint.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
"C:\Program Files\Maxtor\ManagerApp\bak\Onetouch.exe"
"C:\Program Files\Maxtor\OneTouch Status\bak\maxmenumgr.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\Sony Ericsson\Wireless Manager\bak\GC75Mgr.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 12:41 PM

Done. Well, the System Restore part, anyway. :thumbsup:
Sorry...I'm a PhD student about a month away from finishing her thesis (already backed up on an external drive), so I'm more than a little stressed even without this. I have faith that you will do all you can to help me, so I can finish my thesis and graduate. :blink:

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 12:43 PM

If you aren't too tired, we'll get this done in just a little bit. :thumbsup: I see we posted at just about the same time, so please see my post just above your last one. :blink:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 12:48 PM

Thanks! Below is the new log.
--------------------------------------------------------
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 11/08/2007
The current time is: 12:43:54.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\APOINT\BAK

09/13/2004 04:33 PM 155,648 Apoint.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/05/2006 04:39 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

12/30/2004 01:19 PM 120,640 VPTray.exe
1 File(s) 120,640 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/12/2004 08:18 AM 15,360 ctfmon.exe
02/15/2005 03:02 PM 126,976 hkcmd.exe
02/15/2005 03:02 PM 155,648 igfxtray.exe
3 File(s) 297,984 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

12/10/2004 05:02 PM 67,184 ccApp.exe
1 File(s) 67,184 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

04/26/2004 08:04 AM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\MAXTOR\MANAGE~1\BAK

08/11/2006 07:45 AM 712,704 Onetouch.exe
1 File(s) 712,704 bytes

Directory of C:\PROGRA~1\MAXTOR\ONETOU~1\BAK

08/11/2006 10:15 AM 81,920 maxmenumgr.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/05/2006 04:39 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SONYER~1\WIRELE~1\BAK

12/20/2004 09:25 PM 770,141 GC75Mgr.exe
1 File(s) 770,141 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

12/06/2004 01:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/17/2007 03:40 PM 185,896 realsched.exe
1 File(s) 185,896 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

01/07/2004 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/30/2004 02:59 PM 385,024 ifrmewrk.exe
1 File(s) 385,024 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

155648 Sep 13 2004 "C:\Program Files\Apoint\Apoint.exe"
155648 Sep 13 2004 "C:\drivers\mouse\onboard\Apoint.exe"
155648 Sep 13 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 2 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
120640 Dec 30 2004 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
120640 Dec 30 2004 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 12 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 12 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Feb 15 2005 "C:\WINDOWS\system32\hkcmd.exe"
126976 Feb 15 2005 "C:\drivers\video\onboard\hkcmd.exe"
126976 Feb 15 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
155648 Feb 15 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Feb 15 2005 "C:\drivers\video\onboard\igfxtray.exe"
155648 Feb 15 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
67184 Dec 10 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
712704 Aug 11 2006 "C:\Program Files\Maxtor\ManagerApp\Onetouch.exe"
712704 Aug 11 2006 "C:\Program Files\Maxtor\ManagerApp\bak\Onetouch.exe"
81920 Aug 11 2006 "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
81920 Aug 11 2006 "C:\Program Files\Maxtor\OneTouch Status\bak\maxmenumgr.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
770141 Dec 20 2004 "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Mgr.exe"
770141 Dec 20 2004 "C:\Program Files\Sony Ericsson\Wireless Manager\bak\GC75Mgr.exe"
127035 Dec 6 2004 "C:\WINDOWS\system32\dla\tfswctrl.exe"
127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Dec 6 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
185896 Jan 17 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 Jan 17 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe"
385024 Oct 30 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 12:57 PM

Perfect :blink:

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Apoint\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Symantec AntiVirus\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Maxtor\ManagerApp\bak
C:\Program Files\Maxtor\OneTouch Status\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Sony Ericsson\Wireless Manager\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Intel\Wireless\Bin\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Almost done with this infection, then we'll check and be sure everything else is good. :thumbsup:

Thanks,
tea

Edited by teacup61, 08 November 2007 - 12:57 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 01:00 PM

Done! See new log below. Thanks for being for being so thorough!
-----------------------------------------------------------------------------
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/08/2007
The current time is: 12:59:06.00


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/05/2006 04:39 PM 282,624 qttask.exe
1 File(s) 282,624 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
282624 Dec 5 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"


end of report

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 01:11 PM

Good job. :blink: You're welcome.

To finish, run Option 4.

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT.

Now please post a new HijackThis log and let me know if you're having any problems......doing okay now? :thumbsup:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 01:34 PM

Everything seems good! I rebooted and everything! Hooray!
Anything I can do to keep this from happening again?
Also, should I remove the Spybot unless I need it again? Or leave it and just exit the TeaTimer everytime I start up my computer? The little icon didn't open and place itself in the bottom far right this time, but I'm afraid it comes back and asks me to allow/block things I don't understand.
And now I'm getting a little nervous again becomes everything keeps freezing...
But at least the virus is gone! Hooray for teacup61!
New HJT log below.
__________________________________________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:22:26 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\JHSecure\VPN Client\cvpnd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Maxtor\Utils\SyncServices.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [GC75-Mgr-Class] "C:\Program Files\Sony Ericsson\Wireless Manager\GC75Mgr.exe" -startup
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\Program Files\Maxtor\ManagerApp\Onetouch.exe
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: DataViz Inc Messenger.lnk = C:\Program Files\Common Files\DataViz\DvzIncMsgr.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: JHSecure VPN Client.lnk = C:\Program Files\JHSecure\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by117fd.bay117.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1118415753796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1194035216015
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/emailimport/ms/emailimport.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\JHSecure\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MaxBackServiceInt - Unknown owner - C:\Program Files\Maxtor\Maxtor Backup\MaxBackServiceInt.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: MaxSyncService (NTService1) - - C:\Program Files\Maxtor\Utils\SyncServices.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 11190 bytes

#14 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:19 AM

Posted 08 November 2007 - 01:49 PM

Just leave Tea Timer off for the time being. It gets a little freaky, as you've learned, and it's worse during times like this when we're trying to clean.

I see Viewpoint installed.
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we knew in 2006; read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now, if you did not install it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

* Viewpoint
* Viewpoint Manager
* Viewpoint Media Player

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer a time or 2 and let me know how it's running. :thumbsup:

HHmmm.....one more thing, please......Could I see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#15 Ravyn77

Ravyn77
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 08 November 2007 - 02:51 PM

That took FOREVER with all the freezing,sorry...but everything went back to normal speed as soon as that stuff was fixed! Perfect!

Two notes (that may just be me worrying toomuch):
1. Just before your last post, a little Java update thing came up, and I thought we were done so I ran it. It was a lil orange cup of coffee in the bottom right. I hope that is ok.

2. TeaTimer came back at reboot, and before I could close it, it asked me whether or not to allow the changes HijackThis made. I noticed that two of them were "repaired" and the rest were deleted. Wanted to make sure that was ok.

Other than that, everything is running beautifully! Below is the list you requested.
___________________________________________________________
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.0
ALPS Touch Pad Driver
Amos 6
Apple Software Update
Bluetooth Stack for Windows by Toshiba
Broadcom Advanced Control Suite 2
Broadcom ASF Management Applications
Business Contact Manager for Outlook 2003
Conexant D110 MDC V.9x Modem
Dial 4.0
Digital Line Detect
Documents To Go
EndNote
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
ImageMixer VCD2
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
Intercooled Stata 8 for Windows
Internal Network Card Power Management
ISI ResearchSoft - Export Helper
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 2
Java™ 6 Update 3
LiveUpdate 2.0 (Symantec Corporation)
Macromedia Flash Player
Maxtor Backup
Maxtor Encryption
Maxtor OneTouch III
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
Move Networks Player for Internet Explorer
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mToolkit
mWlsSafe
mXML
mZConfig
NetWaiting
OMCI
Palm
Panda ActiveScan
PowerDVD 5.1
QuickSet
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Sony Ericsson Wireless Manager
Sony USB Driver
SPSS 14.0 for Windows
Spybot - Search & Destroy
Symantec AntiVirus
Symantec Technical Support Web Controls
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VPN Client
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool
Yahoo! Photos Print-at-Home Tool




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users