Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help With A Pop-up And No Access To "control Panel", "add/remove Programs" Or Other Administrator Functions.


  • This topic is locked This topic is locked
22 replies to this topic

#1 VTSkeeter

VTSkeeter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 14 November 2007 - 07:25 PM

Hi, I am new to this forum but I have a real problem other advice has not helped. I am operating a Windows XP Dell PC with Broadband access from Comcast. In the last 3-4 weeks we have seen a degradation in the speed of the PC and plenty of annoying pop-ups every 5 minutes. We have also found that Google is trying to take over the Homepage from our default Comcast Homepage. It's a real mess. What I need is instruction to get back Administrator Privileges, access to control panel et al. Then we want to stop the annoy pop-up telling us we have a "Windows Security Alert" box indicating we had a serious infection and need to download some software.

I have followed your instruction and downloaded the software recommended that includes: Ad-Aware, Spybot, Super-Antispyware-Free Edition, Windows Defender and the personal firewall Bitdefender. I have run the scans in Safemode as recommended and have downloaded the Hijackthis software and ran the scan. Attached is the file. I also attempted to attach a PowerPoint slide of the Pop-up "Windows Security Alert" box but got a message from Sygate saying an outgoing was being blocked??? Don't I have a choice to change the action?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:31 PM, on 11/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\winter.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\proper.exe
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - (no file)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C377A9ED-B976-42C4-9703-DED13403C2F4} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINDOWS\system32\bronto.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKLM\..\Run: [NI.UGA6P_0001_N122M2210] "C:\DOCUME~1\JIMLYN~1\LOCALS~1\Temp\ujjivnwv.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\smc.exe -startgui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Undefined] C:\WINDOWS\system32\winter.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Startup: infos.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsrngt.exe
O4 - Global Startup: autos.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Search - ?p=ZZ
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_71.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173748807218
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O20 - AppInit_DLLs: C:\WINDOWS\system32\skuns.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifgfdd - iifgfdd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\smc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\projy.html

--
End of file - 11711 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 16 November 2007 - 10:44 PM

Hello VTSkeeter,

I hear it is snowing in VT. :thumbsup:

It looks like you have several nasty infections on this computer, so this will take a while to remove all the malware.

Download: DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.


I see you are running Teatimer.
Please disable it because it can interfere with the changes we will make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup
When everything is done and your log is clean again, you can enable Teatimer again.


We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After we have your computer clean it is very important that you enable Real-time Protection again.


First, lets run ComboFix.

If you have used Combofix before, please delete the version you have and redownload it again, because Combofix is being updated everyday.

Disconnect from the Internet while running ComboFix.

Temporarily disable any anti-virus and anti-malware real-time protection before performing a scan.
They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.



1. Download this file - combofix.exe to your Desktop.
Note:
It is important that it is saved directly to your desktop

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you, C:\ComboFix.txt. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
In case you see a sed.cfexe error with the option to send a report or not, choose "don't send".

Edited by SifuMike, 16 November 2007 - 11:09 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 17 November 2007 - 02:51 PM

Hey, big thanks for taking on this problem. It has been interesting. Yes, it was snowing yesterday but most of it didn't stick. 4-9" on top of Killington.

Back to the problem. I followed your instructions as you directed me except I did not know how to disable Spybot, AVG or Bitdefender. Here is the ComboFix log: ( The fresh HyjackThis report is at the end)

ComboFix 07-11-08.1 - Jim Lynch 2007-11-17 14:29:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.234 [GMT -5:00]
Running from: C:\Documents and Settings\Jim Lynch\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\Documents and Settings\Debbie Lynch\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Debbie Lynch\ResErrors.log
C:\Documents and Settings\Debbie Lynch\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Debbie Lynch\Start Menu\Programs\Startup\TA_Start.lnk
C:\Documents and Settings\Jim Lynch\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Jim Lynch\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\Jim Lynch\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\Common Files\projy.html
C:\Program Files\Temporary
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1192453892.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bronto.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\oTt02e
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\proper.exe
C:\WINDOWS\system32\winter.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_XLAVBA8
-------\xlavba8


((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-17 13:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 18:05 <DIR> d-------- C:\Program Files\Netport
2007-11-14 18:05 <DIR> d-------- C:\Program Files\Install
2007-11-14 06:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\COMCASTTOOLBAR
2007-11-14 06:04 15,088 --a------ C:\Program Files\TState.dat
2007-11-14 06:04 15,088 --a------ C:\Program Files\StdState.dat
2007-11-14 05:56 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-11-14 05:56 33,600 --a------ C:\Program Files\Converdef.dat
2007-11-14 05:56 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-11-14 05:55 <DIR> d-------- C:\Program Files\Help
2007-11-14 05:55 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-11-14 05:19 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2007-11-13 19:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-12 21:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-12 21:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-12 21:42 <DIR> d-------- C:\Documents and Settings\Jim Lynch\Application Data\SUPERAntiSpyware.com
2007-11-12 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-12 15:18 <DIR> d-------- C:\Documents and Settings\Jim Lynch\.limewire
2007-11-11 18:53 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-11-01 17:17 <DIR> d-------- C:\Documents and Settings\Debbie Lynch\Application Data\COMCASTTOOLBAR
2007-10-30 19:20 14,411 --a------ C:\WINDOWS\SYSTEM32\instdump.zip
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-24 10:33 658,432 --a------ C:\WINDOWS\is-949G0.exe
2007-10-23 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-23 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-23 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-22 16:51 6,505 --ahs---- C:\WINDOWS\SYSTEM32\cbeeg.bak1
2007-10-22 08:38 <DIR> d-------- C:\Program Files\Registry Defender
2007-10-21 13:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\Logs
2007-10-21 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-21 01:31 740,280 --ahs---- C:\WINDOWS\SYSTEM32\wvvwa.bak2
2007-10-20 21:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-20 21:00 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-10-20 14:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\COMCASTTOOLBAR
2007-10-20 13:31 6,465 --ahs---- C:\WINDOWS\SYSTEM32\wvvwa.bak1
2007-10-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\od2
2007-10-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\ib1
2007-10-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\cp1
2007-10-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\bo2
2007-10-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\ap1
2007-10-20 13:18 <DIR> d--hs---- C:\WINDOWS\RGViYmllIEx5bmNo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 19:35 15,088 ----a-w C:\Program Files\TState.dat.bak
2007-11-17 19:35 15,088 ----a-w C:\Program Files\StdState.dat.bak
2007-11-17 19:35 128,832 ----a-w C:\Program Files\stddef.dat
2007-11-17 19:35 128,832 ----a-w C:\Program Files\Default.dat.bak
2007-11-17 19:35 128,832 ----a-w C:\Program Files\Default.dat
2007-11-17 19:35 12,296 ----a-w C:\Program Files\syslog.log
2007-11-17 19:35 108,776 ----a-w C:\Program Files\debug.log
2007-11-17 19:34 524,289 ----a-w C:\Program Files\tralog.log
2007-11-17 19:34 218 ----a-w C:\Program Files\TSysConf.xml
2007-11-17 19:27 --------- d-----w C:\Documents and Settings\Jim Lynch\Application Data\ComcastToolbar
2007-11-17 19:23 128,832 ----a-w C:\Program Files\Stddef.dat.bak
2007-11-17 09:44 5,451 ----a-w C:\Program Files\seclog.log
2007-11-16 23:14 --------- d-----w C:\Program Files\PokerStars
2007-11-15 23:06 --------- d-----w C:\Documents and Settings\Debbie Lynch\Application Data\MSN6
2007-11-14 11:04 72 ----a-w C:\Program Files\rawlog.log
2007-11-14 10:56 250 ----a-w C:\Program Files\SetAid.log
2007-11-07 09:10 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-07 09:10 --------- d-----w C:\Program Files\Windows Defender
2007-11-07 09:10 --------- d-----w C:\Program Files\WebIQ
2007-11-07 09:09 --------- d-----w C:\Program Files\support.com
2007-11-07 09:09 --------- d-----w C:\Program Files\QuickTime
2007-11-07 09:09 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-07 09:09 --------- d-----w C:\Program Files\Google
2007-11-07 09:09 --------- d-----w C:\Program Files\DellSupport
2007-11-07 09:09 --------- d-----w C:\Program Files\Connection Wizard
2007-11-07 09:09 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-07 09:09 --------- d-----w C:\Program Files\ComcastToolbar
2007-10-23 20:44 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-23 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-21 23:30 --------- d-----w C:\Program Files\EmpirePokerMaster
2007-10-21 16:05 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-20 19:07 246 ----a-w C:\Program Files\Common Files\lazu
2007-10-13 16:32 --------- d-----w C:\Documents and Settings\Jim Lynch\Application Data\ZoomBrowser EX
2007-10-13 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-07 15:36 --------- d-----w C:\Program Files\HP
2007-10-07 15:27 --------- d-----w C:\Documents and Settings\Debbie Lynch\Application Data\Viewpoint
2007-09-19 14:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-19 14:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-19 14:37 10,676 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-19 14:37 --------- d-----w C:\Program Files\Symantec
2007-06-12 00:18 194,376 ----a-w C:\Documents and Settings\Jim Lynch\Application Data\shb.dat
2005-05-15 15:59 494,704 ----a-w C:\Program Files\ytb02_efgsip.exe
2004-10-16 00:40 2,577,632 ----a-w C:\Program Files\Smc.exe
2004-10-15 23:32 95,488 ----a-w C:\Program Files\PSSensor.dll
2004-10-15 23:32 95,384 ----a-w C:\Program Files\wsman.dll
2004-10-15 23:32 91,288 ----a-w C:\Program Files\wgman.dll
2004-10-15 23:32 890,088 ----a-w C:\Program Files\SpNet.dll
2004-10-15 23:32 832,744 ----a-w C:\Program Files\SyLink.dll
2004-10-15 23:32 619,760 ----a-w C:\Program Files\SSHelper.dll
2004-10-15 23:32 541,936 ----a-w C:\Program Files\Netport.dll
2004-10-15 23:32 394,496 ----a-w C:\Program Files\IdsTrafficPipe.dll
2004-10-15 23:32 169,208 ----a-w C:\Program Files\DataMan.dll
2004-10-15 23:32 148,632 ----a-w C:\Program Files\SyLog.dll
2004-10-15 23:32 132,248 ----a-w C:\Program Files\wpsman.dll
2004-10-15 23:32 128,152 ----a-w C:\Program Files\tfman.dll
2004-10-15 23:32 1,385,712 ----a-w C:\Program Files\tse.dll
2004-10-15 23:32 1,103,096 ----a-w C:\Program Files\trident.dll
2004-10-15 23:31 33,712 ----a-w C:\Program Files\cltdef.dat
2004-10-15 23:31 17,392 ----a-w C:\Program Files\serdef.dat
2004-10-15 23:31 112,512 ----a-w C:\Program Files\sdi.dat
2004-10-15 23:18 21,075 ----a-w C:\Program Files\WPSDRVNT.sys
2004-10-15 23:17 60,496 ----a-w C:\Program Files\teefer.sys
2004-10-15 23:15 6,038 ----a-w C:\Program Files\trojan.dat
2004-10-15 23:15 5,136 ----a-w C:\Program Files\Readme.txt
2004-10-15 23:15 298 ----a-w C:\Program Files\SyLink.xml
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,871,872 2004-09-07 17:55:20 C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe

----a-w 180,269 2004-07-28 19:51:47 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 32,768 2003-11-01 00:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 204,800 2003-08-27 00:47:34 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 118,784 2003-10-10 18:25:02 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 77,824 2005-09-03 23:04:59 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 26,636 2007-10-11 06:56:57 C:\Program Files\QuickTime\qttask.exe

----a-w 1,003,520 2006-05-28 01:03:09 C:\Program Files\Real\RealPlayer\bak\realplay.exe

----a-w 1,773,568 2007-03-07 14:58:20 C:\Program Files\support.com\bin\bak\tgcmd.exe

----a-w 67,264 2006-05-15 22:24:33 C:\Program Files\Symantec\LiveUpdate\bak\ALUNOTIFY.EXE

----a-w 4,670,704 2007-08-30 21:43:18 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,670,704 2007-08-30 21:43:18 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 126,976 2005-06-22 04:44:34 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w 155,648 2001-07-09 16:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C377A9ED-B976-42C4-9703-DED13403C2F4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" []
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-09-03 18:04]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SmcService"="C:\PROGRA~1\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" []
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" []
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgfdd]
iifgfdd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

R2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 19:38:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 14:35:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 14:39:31 - machine was rebooted
.
--- E O F ---

Here is the fresh HyjackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:09 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C377A9ED-B976-42C4-9703-DED13403C2F4} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\smc.exe -startgui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Search - ?p=ZZ
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_71.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173748807218
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: iifgfdd - iifgfdd.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\smc.exe

--
End of file - 8858 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 17 November 2007 - 03:37 PM

Hello VTSkeeter,

You have a suspicious file we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\is-949G0.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.
Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

*******************************************

Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial

*******************************************

Select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix checked"

R3 - URLSearchHook: (no name) - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {C377A9ED-B976-42C4-9703-DED13403C2F4} - (no file)
O8 - Extra context menu item: &Search - ?p=ZZ
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab
20 - Winlogon Notify: iifgfdd - iifgfdd.dll (file missing)


*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues or Registry button. This is a built-in registry cleaner. If you don't know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Autocomplete Forum History.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section except for Start Menu Shortcuts and Desktop Shortcuts.
Clean any others that you choose.

In the Applications Tab:
Clean all including cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************

Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
C:\WINDOWS\SYSTEM32\cbeeg.bak1
C:\WINDOWS\SYSTEM32\wvvwa.bak2
C:\WINDOWS\SYSTEM32\wvvwa.bak1

Folder:: 
C:\WINDOWS\SYSTEM32\od2
C:\WINDOWS\SYSTEM32\ib1
C:\WINDOWS\SYSTEM32\cp1
C:\WINDOWS\SYSTEM32\bo2
C:\WINDOWS\SYSTEM32\ap1
C:\WINDOWS\RGViYmllIEx5bmNo


Name the Notepad file CFScript.txt and Save it to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.


Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log and results of the Virus Total scan.

Edited by SifuMike, 17 November 2007 - 03:40 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 17 November 2007 - 07:04 PM

OK, we are making progress. The annoying pop-up has not been seen and I can see "Control Panel" on the Start Tool bar again. The system does seem to be loading a lot faster too. Thank you , thank you. But do I have to still worry about re-infection or have I got a lot to do yet? I would like to know what we did to cause these things to happen.

Here is the ComboFiX log and the lastest HyjackThis log.

ComboFix 07-11-08.1 - Jim Lynch 2007-11-17 18:41:30.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.265 [GMT -5:00]Running from: C:\Documents and Settings\Jim Lynch\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jim Lynch\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\SYSTEM32\cbeeg.bak1
C:\WINDOWS\SYSTEM32\wvvwa.bak1
C:\WINDOWS\SYSTEM32\wvvwa.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\RGViYmllIEx5bmNo
C:\WINDOWS\SYSTEM32\ap1
C:\WINDOWS\SYSTEM32\bo2
C:\WINDOWS\SYSTEM32\cbeeg.bak1
C:\WINDOWS\SYSTEM32\cp1
C:\WINDOWS\SYSTEM32\cp1\dode83122.exe
C:\WINDOWS\SYSTEM32\ib1
C:\WINDOWS\SYSTEM32\od2
C:\WINDOWS\SYSTEM32\wvvwa.bak1
C:\WINDOWS\SYSTEM32\wvvwa.bak2

.
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.

2007-11-17 18:29 <DIR> d-------- C:\Program Files\CCleaner
2007-11-17 14:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-17 13:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-14 18:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-14 18:05 <DIR> d-------- C:\Program Files\Netport
2007-11-14 18:05 <DIR> d-------- C:\Program Files\Install
2007-11-14 06:08 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\COMCASTTOOLBAR
2007-11-14 06:04 15,088 --a------ C:\Program Files\TState.dat
2007-11-14 06:04 15,088 --a------ C:\Program Files\StdState.dat
2007-11-14 05:56 60,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\Teefer.sys
2007-11-14 05:56 33,600 --a------ C:\Program Files\Converdef.dat
2007-11-14 05:56 21,075 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wpsdrvnt.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg6n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg5n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg4n.sys
2007-11-14 05:56 14,568 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\wg3n.sys
2007-11-14 05:55 <DIR> d-------- C:\Program Files\Help
2007-11-14 05:55 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2007-11-14 05:19 23,600 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\TVICHW32.SYS
2007-11-13 19:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-12 21:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2007-11-12 21:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-12 21:42 <DIR> d-------- C:\Documents and Settings\Jim Lynch\Application Data\SUPERAntiSpyware.com
2007-11-12 21:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-12 15:18 <DIR> d-------- C:\Documents and Settings\Jim Lynch\.limewire
2007-11-11 18:53 63,488 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\icardie.dll
2007-11-01 17:17 <DIR> d-------- C:\Documents and Settings\Debbie Lynch\Application Data\COMCASTTOOLBAR
2007-10-30 19:20 14,411 --a------ C:\WINDOWS\SYSTEM32\instdump.zip
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-24 10:33 658,432 --a------ C:\WINDOWS\is-949G0.exe
2007-10-23 16:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-23 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-23 16:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-10-23 16:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc
2007-10-22 08:38 <DIR> d-------- C:\Program Files\Registry Defender
2007-10-21 13:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\Logs
2007-10-21 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-20 21:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-20 21:00 626,688 --a------ C:\WINDOWS\SYSTEM32\msvcr80.dll
2007-10-20 14:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\COMCASTTOOLBAR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 23:43 118,654 ----a-w C:\Program Files\debug.log
2007-11-17 23:25 --------- d-----w C:\Documents and Settings\Jim Lynch\Application Data\ComcastToolbar
2007-11-17 20:20 --------- d-----w C:\Program Files\PokerStars
2007-11-17 19:57 --------- d-----w C:\Program Files\Google
2007-11-17 19:35 15,088 ----a-w C:\Program Files\TState.dat.bak
2007-11-17 19:35 15,088 ----a-w C:\Program Files\StdState.dat.bak
2007-11-17 19:35 128,832 ----a-w C:\Program Files\stddef.dat
2007-11-17 19:35 128,832 ----a-w C:\Program Files\Default.dat.bak
2007-11-17 19:35 128,832 ----a-w C:\Program Files\Default.dat
2007-11-17 19:35 12,296 ----a-w C:\Program Files\syslog.log
2007-11-17 19:34 524,289 ----a-w C:\Program Files\tralog.log
2007-11-17 19:34 218 ----a-w C:\Program Files\TSysConf.xml
2007-11-17 19:23 128,832 ----a-w C:\Program Files\Stddef.dat.bak
2007-11-17 09:44 5,451 ----a-w C:\Program Files\seclog.log
2007-11-15 23:06 --------- d-----w C:\Documents and Settings\Debbie Lynch\Application Data\MSN6
2007-11-14 11:04 72 ----a-w C:\Program Files\rawlog.log
2007-11-14 10:56 250 ----a-w C:\Program Files\SetAid.log
2007-11-07 09:10 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-11-07 09:10 --------- d-----w C:\Program Files\Windows Defender
2007-11-07 09:10 --------- d-----w C:\Program Files\WebIQ
2007-11-07 09:09 --------- d-----w C:\Program Files\support.com
2007-11-07 09:09 --------- d-----w C:\Program Files\QuickTime
2007-11-07 09:09 --------- d-----w C:\Program Files\Hewlett-Packard
2007-11-07 09:09 --------- d-----w C:\Program Files\DellSupport
2007-11-07 09:09 --------- d-----w C:\Program Files\Connection Wizard
2007-11-07 09:09 --------- d-----w C:\Program Files\Common Files\Scanner
2007-11-07 09:09 --------- d-----w C:\Program Files\ComcastToolbar
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shell32.dll
2007-10-23 20:44 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-23 20:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-21 23:30 --------- d-----w C:\Program Files\EmpirePokerMaster
2007-10-21 16:05 28,256 ----a-w C:\WINDOWS\system32\drivers\MxlW2k.sys
2007-10-20 19:07 246 ----a-w C:\Program Files\Common Files\lazu
2007-10-13 16:32 --------- d-----w C:\Documents and Settings\Jim Lynch\Application Data\ZoomBrowser EX
2007-10-13 16:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2007-10-07 15:36 --------- d-----w C:\Program Files\HP
2007-10-07 15:27 --------- d-----w C:\Documents and Settings\Debbie Lynch\Application Data\Viewpoint
2007-09-19 14:37 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-09-19 14:37 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-09-19 14:37 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-09-19 14:37 10,676 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-19 14:37 --------- d-----w C:\Program Files\Symantec
2007-08-22 12:55 474,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shlwapi.dll
2007-08-22 12:55 151,040 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cdfview.dll
2007-08-22 12:55 1,498,112 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\shdocvw.dll
2007-08-22 12:55 1,054,208 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\danim.dll
2007-08-22 12:55 1,022,976 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\browseui.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\SYSTEM32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\inetcomm.dll
2007-08-20 20:34 3,584,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mstime.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieapfltr.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\ieakui.dll
2007-06-12 00:18 194,376 ----a-w C:\Documents and Settings\Jim Lynch\Application Data\shb.dat
2005-05-15 15:59 494,704 ----a-w C:\Program Files\ytb02_efgsip.exe
2004-10-16 00:40 2,577,632 ----a-w C:\Program Files\Smc.exe
2004-10-15 23:32 95,488 ----a-w C:\Program Files\PSSensor.dll
2004-10-15 23:32 95,384 ----a-w C:\Program Files\wsman.dll
2004-10-15 23:32 91,288 ----a-w C:\Program Files\wgman.dll
2004-10-15 23:32 890,088 ----a-w C:\Program Files\SpNet.dll
2004-10-15 23:32 832,744 ----a-w C:\Program Files\SyLink.dll
2004-10-15 23:32 619,760 ----a-w C:\Program Files\SSHelper.dll
2004-10-15 23:32 541,936 ----a-w C:\Program Files\Netport.dll
2004-10-15 23:32 394,496 ----a-w C:\Program Files\IdsTrafficPipe.dll
2004-10-15 23:32 169,208 ----a-w C:\Program Files\DataMan.dll
2004-10-15 23:32 148,632 ----a-w C:\Program Files\SyLog.dll
2004-10-15 23:32 132,248 ----a-w C:\Program Files\wpsman.dll
2004-10-15 23:32 128,152 ----a-w C:\Program Files\tfman.dll
2004-10-15 23:32 1,385,712 ----a-w C:\Program Files\tse.dll
2004-10-15 23:32 1,103,096 ----a-w C:\Program Files\trident.dll
2004-10-15 23:31 33,712 ----a-w C:\Program Files\cltdef.dat
2004-10-15 23:31 17,392 ----a-w C:\Program Files\serdef.dat
2004-10-15 23:31 112,512 ----a-w C:\Program Files\sdi.dat
2004-10-15 23:18 21,075 ----a-w C:\Program Files\WPSDRVNT.sys
2004-10-15 23:17 60,496 ----a-w C:\Program Files\teefer.sys
2004-10-15 23:15 6,038 ----a-w C:\Program Files\trojan.dat
2004-10-15 23:15 5,136 ----a-w C:\Program Files\Readme.txt
2004-10-15 23:15 298 ----a-w C:\Program Files\SyLink.xml
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 1,871,872 2004-09-07 17:55:20 C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe

----a-w 180,269 2004-07-28 19:51:47 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

----a-w 110,592 2003-08-19 06:01:00 C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w 32,768 2003-11-01 00:42:40 C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe

----a-w 204,800 2003-08-27 00:47:34 C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w 460,784 2007-03-15 15:09:36 C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w 221,184 2003-09-04 01:12:44 C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w 118,784 2003-10-10 18:25:02 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 77,824 2005-09-03 23:04:59 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 26,636 2007-10-11 06:56:57 C:\Program Files\QuickTime\qttask.exe

----a-w 1,003,520 2006-05-28 01:03:09 C:\Program Files\Real\RealPlayer\bak\realplay.exe

----a-w 1,773,568 2007-03-07 14:58:20 C:\Program Files\support.com\bin\bak\tgcmd.exe

----a-w 67,264 2006-05-15 22:24:33 C:\Program Files\Symantec\LiveUpdate\bak\ALUNOTIFY.EXE

----a-w 4,670,704 2007-08-30 21:43:18 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 126,976 2005-06-22 04:44:34 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w 155,648 2001-07-09 16:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe

----a-w 122,933 2004-03-15 06:04:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" []
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" []
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" []
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" []
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" []
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2005-09-03 18:04]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"SmcService"="C:\PROGRA~1\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" []
"NBJ"="C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe" []
"RealPlayer"="C:\Program Files\Real\RealPlayer\realplay.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Find Fast.lnk - C:\Program Files\Microsoft Office\Office\FINDFAST.EXE [1997-07-11]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe

R2 UMAXPCLS;Print Port Scanner Driver;C:\WINDOWS\system32\DRIVERS\umaxpcls.sys
S3 noskrnl.sys;noskrnl.sys;\??\C:\WINDOWS\system32\noskrnl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 19:38:01 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 18:43:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-17 18:44:45
C:\ComboFix2.txt ... 2007-11-17 14:39
.
--- E O F ---

HyjackThis Log 11_17_07C

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:48:52 PM, on 11/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\smc.exe -startgui
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A781DED-C22D-4153-3213-A3211E29DF13} (GameDesire Card Games) - http://67.15.101.3/g_bin/eng/cards_2_0_0_71.cab
O16 - DPF: {4FAE30E1-EE9C-477D-8D06-BF8D3429B60F} (WebIQ Technology Client) - http://webiq001.webiqonline.com/WebIQ/bin/WebIQ.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1173748807218
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS1\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{392C499B-C855-42AA-A470-919AA8ADD48F}: NameServer = 192.35.156.19
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\smc.exe

--
End of file - 6940 bytes


Here is the VirusTotal Scan:

File is-949G0.exe received on 11.17.2007 23:33:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 36 and 52 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.11.17.0 2007.11.16 -
AntiVir 7.6.0.34 2007.11.16 -
Authentium 4.93.8 2007.11.17 -
Avast 4.7.1074.0 2007.11.17 -
AVG 7.5.0.503 2007.11.17 -
BitDefender 7.2 2007.11.17 -
CAT-QuickHeal 9.00 2007.11.17 -
ClamAV 0.91.2 2007.11.17 -
DrWeb 4.44.0.09170 2007.11.17 -
eSafe 7.0.15.0 2007.11.14 -
eTrust-Vet 31.2.5304 2007.11.17 -
Ewido 4.0 2007.11.17 -
FileAdvisor 1 2007.11.17 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.16 -
F-Secure 6.70.13030.0 2007.11.17 -
Ikarus T3.1.1.12 2007.11.17 -
Kaspersky 7.0.0.125 2007.11.17 -
McAfee 5165 2007.11.16 -
Microsoft 1.3007 2007.11.17 -
NOD32v2 2665 2007.11.17 -
Norman 5.80.02 2007.11.16 -
Panda 9.0.0.4 2007.11.17 -
Prevx1 V2 2007.11.17 -
Rising 20.18.51.00 2007.11.17 -
Sophos 4.23.0 2007.11.17 -
Sunbelt 2.2.907.0 2007.11.17 -
Symantec 10 2007.11.17 -
TheHacker 6.2.9.133 2007.11.17 -
VBA32 3.12.2.5 2007.11.16 -
VirusBuster 4.3.26:9 2007.11.17 -
Webwasher-Gateway 6.0.1 2007.11.16 -
Additional information
File size: 658432 bytes
MD5: 1e8504d11b53d017c08dfd5f244ede48
SHA1: 43b6ce98482e8322410367a3b25e45b166f12af4

That's everything I believe. Let me know my next steps and when and which anti-spyware, anti-adware and firewalls I should use. Thanks,

Jim

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 17 November 2007 - 07:15 PM

Hi Jim,

But do I have to still worry about re-infection or have I got a lot to do yet? I would like to know what we did to cause these things to happen.


I am sorry to say we still have to remove the nasty AWF infection. The main reason you got a Vundo infection is that you did not keep your Java updated. We will update Java after we remove all of the AWF infection.


Download FindAWF:
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced that we need to look at.
Please post it in your reply.

Edited by SifuMike, 17 November 2007 - 07:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 17 November 2007 - 10:06 PM

I ran the report and here it is:


Find AWF report by noahdfear 2006
Version 1.40

The current date is: Sat 11/17/2007
The current time is: 22:02:58.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/03/2005 06:04 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
06/21/2005 11:44 PM 126,976 hkcmd.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
3 File(s) 297,984 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

09/07/2004 12:55 PM 1,871,872 NBJ.exe
1 File(s) 1,871,872 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003 07:42 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 07:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

10/10/2003 01:25 PM 118,784 mm_tray.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

05/27/2006 08:03 PM 1,003,520 realplay.exe
1 File(s) 1,003,520 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

03/07/2007 09:58 AM 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\SYMANTEC\LIVEUP~1\BAK

05/15/2006 05:24 PM 67,264 ALUNOTIFY.EXE
1 File(s) 67,264 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/30/2007 04:43 PM 4,670,704 YahooMessenger.exe
1 File(s) 4,670,704 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

07/28/2004 02:51 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
26636 Oct 11 2007 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 3 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
126976 Jun 21 2005 "C:\DRIVERS\R106456\Win2000\hkcmd.exe"
126976 Jun 21 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
126976 Jan 23 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
1871872 Sep 7 2004 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
135168 Oct 21 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
135168 Nov 19 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB_\mm_tray.exe"
118784 Oct 10 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
1003520 May 27 2006 "C:\Program Files\Real\RealPlayer\bak\realplay.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
67264 May 15 2006 "C:\Program Files\Symantec\LiveUpdate\bak\ALUNOTIFY.EXE"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
180269 Jul 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 17 November 2007 - 10:19 PM

Hi Jim,

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
"C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
"C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
"C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
"C:\Program Files\Real\RealPlayer\bak\realplay.exe"
"C:\Program Files\support.com\bin\bak\tgcmd.exe"
"C:\Program Files\Symantec\LiveUpdate\bak\ALUNOTIFY.EXE"
"C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply
.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 18 November 2007 - 05:41 AM

Mornin' Mike. Are we making good progress? Here is the re-run of the FindAWF scan:

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Sun 11/18/2007
The current time is: 5:33:04.39


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

09/03/2005 06:04 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
06/21/2005 11:44 PM 126,976 hkcmd.exe
07/09/2001 11:50 AM 155,648 NeroCheck.exe
3 File(s) 297,984 bytes

Directory of C:\PROGRA~1\AHEAD\NEROBA~1\BAK

09/07/2004 12:55 PM 1,871,872 NBJ.exe
1 File(s) 1,871,872 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003 07:42 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 07:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

10/10/2003 01:25 PM 118,784 mm_tray.exe
1 File(s) 118,784 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

05/27/2006 08:03 PM 1,003,520 realplay.exe
1 File(s) 1,003,520 bytes

Directory of C:\PROGRA~1\SUPPORT.COM\BIN\BAK

03/07/2007 09:58 AM 1,773,568 tgcmd.exe
1 File(s) 1,773,568 bytes

Directory of C:\PROGRA~1\SYMANTEC\LIVEUP~1\BAK

05/15/2006 05:24 PM 67,264 ALUNOTIFY.EXE
1 File(s) 67,264 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

08/30/2007 04:43 PM 4,670,704 YahooMessenger.exe
1 File(s) 4,670,704 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004 01:04 AM 122,933 tfswctrl.exe
1 File(s) 122,933 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

07/28/2004 02:51 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

460784 Mar 15 2007 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
77824 Sep 3 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 3 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
114688 Apr 7 2003 "C:\DRIVERS\VIDEO\HKCMD.EXE"
126976 Jun 21 2005 "C:\WINDOWS\SYSTEM32\hkcmd.exe"
126976 Jun 21 2005 "C:\DRIVERS\R106456\Win2000\hkcmd.exe"
126976 Jun 21 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
126976 Jan 23 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
1871872 Sep 7 2004 "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
1871872 Sep 7 2004 "C:\Program Files\Ahead\Nero BackItUp\bak\NBJ.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\PCMService.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
118784 Oct 10 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
135168 Oct 21 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
135168 Nov 19 2006 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB_\mm_tray.exe"
118784 Oct 10 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
1003520 May 27 2006 "C:\Program Files\Real\RealPlayer\realplay.exe"
1003520 May 27 2006 "C:\Program Files\Real\RealPlayer\bak\realplay.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\tgcmd.exe"
1773568 Mar 7 2007 "C:\Program Files\support.com\bin\bak\tgcmd.exe"
67264 May 15 2006 "C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE"
67264 May 15 2006 "C:\Program Files\Symantec\LiveUpdate\bak\ALUNOTIFY.EXE"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
180269 Jul 28 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jul 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"


end of report

Thanks again,

Jim

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 18 November 2007 - 12:35 PM

Hi Jim,

We are making progress. :thumbsup:

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Reboot your computer <==== Important

********************************

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\DellSupport\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\SYSTEM32\bak
C:\Program Files\Ahead\Nero BackItUp\bak
C:\Program Files\CyberLink\PowerDVD\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\support.com\bin\bak
C:\Program Files\Symantec\LiveUpdate\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\SYSTEM32\dla\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak


Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 18 November 2007 - 12:54 PM

Alright! :thumbsup: Here is the latest AWF Report. Looks a lot smaller than the first.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sun 11/18/2007
The current time is: 12:49:43.12


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

09/03/2005 06:04 PM 77,824 qttask.exe
1 File(s) 77,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Sep 3 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 3 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 18 November 2007 - 01:05 PM

Hi Jim,

Looks like one of the BAK folders did not get deleted. Lets try again.

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\QuickTime\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 18 November 2007 - 02:40 PM

Here it is Mike. Let me knowwhat you see.


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: Sun 11/18/2007
The current time is: 14:37:27.65


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

09/03/2005 06:04 PM 77,824 qttask.exe
1 File(s) 77,824 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

77824 Sep 3 2005 "C:\Program Files\QuickTime\qttask.exe"
77824 Sep 3 2005 "C:\Program Files\QuickTime\bak\qttask.exe"


end of report

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:39 PM

Posted 18 November 2007 - 02:45 PM

Hi Jim,

For some reason the AWF tool did not work. :thumbsup: But no matter, we will delete that BAK folder manually.


Please find and delete this folder:

C:\Program Files\QuickTime\bak <=== folder

Then run FindAWF with option 1 and post the log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 VTSkeeter

VTSkeeter
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vermont
  • Local time:12:39 AM

Posted 18 November 2007 - 03:38 PM

Mike, I was not allowed to delete the folder you requested. I also attempted to drag and drop in the Desktop Recycle Bin but no luck. The warning called it qttask.exe and I can see there already is a qttask.exe in the folder. Please advise.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users