Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader.agent.awf


  • This topic is locked This topic is locked
36 replies to this topic

#1 EFS

EFS

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 08 February 2008 - 01:04 PM

:thumbsup: I think I have been infected with the Downloader.agent.awf malware and need removal help.
When opening IE - I got a page with a.doginhispen.com and another time b.skittodayplease.
Searching the internet, I found it may be downloader.agent.awf.
It is not picked up by TrendMicro antivirus or spyware checks.
Thank you in advance for all help!!!

I have run HIJACKTHIS - here is the log :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:24 PM, on 2/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Documents and Settings\Ellen\Desktop\Security\TrendMicro\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wearecentralpa.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...84/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189110377281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189110338500
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {78AEEDE8-7345-4FB5-A8FE-4BFF16EF25FC} (McAfee Virtual Technician Control Class) - http://us-download.mcafee.com/products/protected/mvt/mvt.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - https://photos.riteaid.com/control/RiteAidO...PhotoOnline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,21/mcgdmgr.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_u...pdate_1-0-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...764/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6488EF9-4B82-440E-9CD9-658D2FC8655C}: NameServer = 71.242.0.12 71.252.0.12
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COM+ System Client (ComSysCnt) - Unknown owner - C:\WINDOWS\repair\cmsvc.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Groove Games Licensing Service - Groove Games - C:\Program Files\Common Files\Groove Games Shared\Service\ggameslicsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\All Users\Documents\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Microsoft Net API (NETAPI) - Unknown owner - C:\WINDOWS\system32\ntps.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Print Spooler Service (SpoolSvc227) - Unknown owner - C:\WINDOWS\system32\nlkfev7aywuxwxxwx.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 14013 bytes



After reading other similar topics I downloaded and ran FindAWF. Here is the result of #1 Scan for bak folders:

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 02/08/2008
The current time is: 12:02:00.50


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

10/04/2007 10:20 AM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\DELLAI~1\BAK

09/21/2003 10:21 AM 270,336 dlbfbmgr.exe
1 File(s) 270,336 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 11:52 AM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\BAK

05/23/2005 01:20 PM 50,744 VERIZO~1.EXE
1 File(s) 50,744 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 02:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\CREATIVE\SOUNDB~1\SURROU~1\BAK

09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\BAK

04/13/2005 07:51 PM 385,024 MotiveSB.exe
1 File(s) 385,024 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 6 2008 "C:\Program Files\AIM6\aim6.exe"
50528 Oct 4 2007 "C:\Program Files\AIM6\bak\aim6.exe"
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1129504521\ee\aim6.exe"
14860 Feb 6 2008 "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
270336 Sep 21 2003 "C:\Program Files\Dell AIO Printer A960\bak\dlbfbmgr.exe"
14860 Feb 6 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
14860 Feb 6 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
278528 Aug 3 2004 "C:\WINDOWS\SYSTEM32\VerizonUninstaller.exe"
14860 Feb 6 2008 "C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe"
50744 May 23 2005 "C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE"
122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\VerizonSetPanFolder.exe"
122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\Original\VerizonSetPanFolder.exe"
14860 Feb 6 2008 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
14860 Feb 6 2008 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
14860 Feb 6 2008 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
14860 Feb 6 2008 "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe"
14860 Feb 6 2008 "C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe"
385024 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe"
385024 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\Original\MotiveSB.exe"


end of report

Edited by EFS, 08 February 2008 - 03:51 PM.


BC AdBot (Login to Remove)

 


#2 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 February 2008 - 10:23 AM

Need help with downloader.agent.awf please.

#3 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 February 2008 - 01:35 PM

Additional information : I searched for cmsvc.exe but my search came back with nothing. When I did an internet search on that name, I found bleepingcomputer listed it as a 023 entry on the HijackThis log - AND THERE IT WAS! Just confirms to me what I am dealing with.....

#4 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 09 February 2008 - 05:02 PM

I downloaded and ran AUTORUNS and then re-ran my HIJACKTHIS. Attached are the updated logs.
I have also attached the latest AWF log. Thanks in advance for all help!

Attached Files



#5 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:14 AM

Posted 11 February 2008 - 12:54 PM

EFS,

Welcome to Bleeping Computer AWF is just the tip of the iceburg, your also infested with the SDBot worm.

Do this please.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log





Download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

1. Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze
2. If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.



I need to see the SDfix log, the Combofix log and a New HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#6 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 01:32 PM

Ken,
thank you - I will begin the process now.
Ellen

#7 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 04:44 PM

Ken,
Wow what a process - kinda scary!
Anyway, attached are the logs you requested.
The crustylog 02.11.08a was run after the SDFix but before the ComboFix.
The crustylog 02.11.08b was run after the ComboFix.

I have a few questions:
1) When the computer re-booted this last time, I got a message that tfswcres.dll could not be found.
2) What type of anti-virus software is the best to be running? I have been running TrendMicro PC-cillin and it did not stop/catch the awf or SBot .
3) Within PC-cillin, should I run its firewall or should I run the Windows firewall? I had trouble with the Windows firewall at one point (maybe that was part of one of these viruses) and could not get it to turn on so I just began using just the PC-Cillin firewall. I understood that you should not run both at the same time.?
4) I can not get AIM Instant Messenger to run - it does not start when I log in nor will it run when I click on it to start it - any ideas?

Thank you so very much for all your help. I really appreciate it - and so do my kids!
Ellen

Attached Files


Edited by EFS, 11 February 2008 - 04:55 PM.


#8 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:14 AM

Posted 11 February 2008 - 06:40 PM

Hello,

Your doing fine but a little more to do. Do me a favor and don't attach your logs , just copy and paste them into the thread, its faster for me to navigate around looking at them.

When where done I will link you to some free tools to install to help keep you secure, lets not worry about that just yet. The file that is missing we can address also when where done.

ViewPoint is foistware, it installed without your knowledge or consent, you can uninstall it via the Add Remove Programs in the Control Panel

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe







In case you removed it
Please download FindAWF and save it to your desktop

Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\AIM6\bak\aim6.exe
C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe
C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
C:\Program Files\Dell AIO Printer A960\bak\dlbfbmgr.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE
C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe
C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe





Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
C:\Documents and Settings\Ellen\remote.exe
C:\windows\antivirusmanager.exe

Folder::
C:\Program Files\SpywareBot

Registry
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirus Manager]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



I need to see the FindAWF log, the new Combofix log and a new HJT log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#9 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 06:53 PM

Ok - here I go.....

#10 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 08:16 PM

Things ran much faster this time! Makes me feel better.....like we are on the road to recovery!
Here are the logs you requested:

FindAWF Log :

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/11/2008
The current time is: 19:06:31.18


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM6\BAK

10/04/2007 10:20 AM 50,528 aim6.exe
1 File(s) 50,528 bytes

Directory of C:\PROGRA~1\DELLAI~1\BAK

09/21/2003 10:21 AM 270,336 dlbfbmgr.exe
1 File(s) 270,336 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 06:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

08/25/2004 11:52 AM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\BAK

05/23/2005 01:20 PM 50,744 VERIZO~1.EXE
1 File(s) 50,744 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/13/2004 02:05 AM 122,939 tfswctrl.exe
1 File(s) 122,939 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 11:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\CREATIVE\SOUNDB~1\SURROU~1\BAK

09/17/2003 11:43 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\BAK

04/13/2005 07:51 PM 385,024 MotiveSB.exe
1 File(s) 385,024 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14860 Feb 6 2008 "C:\Program Files\AIM6\aim6.exe"
50528 Oct 4 2007 "C:\Program Files\AIM6\bak\aim6.exe"
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1129504521\ee\aim6.exe"
14860 Feb 6 2008 "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
270336 Sep 21 2003 "C:\Program Files\Dell AIO Printer A960\bak\dlbfbmgr.exe"
14860 Feb 6 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
14860 Feb 6 2008 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Aug 25 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
278528 Aug 3 2004 "C:\WINDOWS\SYSTEM32\VerizonUninstaller.exe"
14860 Feb 6 2008 "C:\Program Files\Verizon Online\Help Support\VerizonSupport.exe"
50744 May 23 2005 "C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE"
122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\VerizonSetPanFolder.exe"
122660 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\Original\VerizonSetPanFolder.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe"
122939 Aug 13 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122939 Aug 13 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
14860 Feb 6 2008 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
14860 Feb 6 2008 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
14860 Feb 6 2008 "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe"
57344 Sep 17 2003 "C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe"
14860 Feb 6 2008 "C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe"
385024 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe"
385024 Apr 13 2005 "C:\Program Files\Verizon Online\Help Support\SmartBridge\Original\MotiveSB.exe"


end of report

ComboFix Log :

ComboFix 08-02-11.2 - Ellen 2008-02-11 19:53:43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.348 [GMT -5:00]
Running from: C:\Documents and Settings\Ellen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ellen\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Ellen\remote.exe
C:\windows\antivirusmanager.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ellen\remote.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 16:51 . 2008-02-11 16:51 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-11 16:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-02-11 13:46 . 2008-02-11 13:46 <DIR> d-------- C:\WINDOWS\ERUNT
2008-02-11 13:40 . 2008-02-11 14:18 <DIR> d-------- C:\SDFix
2008-02-07 12:46 . 2008-02-07 12:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-07 12:46 . 2008-02-07 13:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2008-02-06 21:36 . 2008-02-06 21:36 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 00:02 --------- d-----w C:\Program Files\Viewpoint
2008-02-12 00:02 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2008-02-09 20:33 --------- d-----w C:\Program Files\Pariah Multiplayer Demo
2008-02-09 20:33 --------- d-----w C:\Program Files\Common Files\Groove Games Shared
2008-02-09 20:21 --------- d-----w C:\Program Files\GameSpy Arcade
2008-02-09 20:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-09 20:14 --------- d-----w C:\Program Files\Microsoft Games
2008-02-09 20:09 --------- d-----w C:\Program Files\Deer Hunter 3
2008-02-09 19:57 --------- d-----w C:\Program Files\EA GAMES
2008-02-09 19:55 --------- d-----w C:\Program Files\Ubisoft
2008-02-09 19:55 --------- d-----w C:\Documents and Settings\Ellen\Application Data\Gearbox Software
2008-02-09 19:55 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\Gearbox Software
2008-02-09 19:34 --------- d-----w C:\Program Files\CallWave
2008-02-09 19:30 --------- d-----w C:\Program Files\PartyGaming
2008-02-07 02:36 --------- d-----w C:\Program Files\QuickTime
2008-02-07 02:36 --------- d-----w C:\Program Files\Dell AIO Printer A960
2008-02-07 02:36 --------- d-----w C:\Program Files\AIM6
2008-02-05 18:11 --------- d-----w C:\Documents and Settings\Ellen\Application Data\Yahoo!
2008-02-05 18:11 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\Yahoo!
2008-02-05 15:43 --------- d-----w C:\Documents and Settings\Ellen\Application Data\Intuit
2008-02-05 15:43 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\Intuit
2008-02-05 15:40 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-05 15:25 --------- d-----w C:\Program Files\TurboTax
2008-02-05 14:02 --------- d-----w C:\Documents and Settings\Ellen\Application Data\ZoomBrowser EX
2008-02-05 14:02 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\ZoomBrowser EX
2008-02-05 12:04 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser
2008-01-31 13:28 --------- d-----w C:\Documents and Settings\Ellen\Application Data\LimeWire
2008-01-31 13:28 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\LimeWire
2008-01-06 05:37 --------- d-----w C:\Documents and Settings\Jack\Application Data\U3
2008-01-04 17:16 --------- d-----w C:\Documents and Settings\Ellen\Application Data\U3
2008-01-04 17:16 --------- d-----w C:\DOCUME~1\Ellen\APPLIC~1\U3
2007-12-21 17:52 --------- d-----w C:\Program Files\Trend Micro
2006-01-20 16:50 5,664 ----a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\ypinfo.bin
2005-06-16 21:33 1,431,519 ------w C:\Documents and Settings\Jack\areslite181.exe
2005-06-16 21:32 1,691,725 ------w C:\Documents and Settings\Jack\setup_ares.exe
2007-03-29 01:48 37,376 --sh--r C:\WINDOWS\SYSTEM32\wncsvc.exe
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 50,528 2007-10-04 15:20:54 C:\Program Files\AIM6\bak\aim6.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\AIM6\aim6.exe

----a-w 339,968 2004-08-25 16:52:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

----a-w 124,520 2006-02-17 16:59:46 C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

----a-w 102,400 2004-12-02 23:23:34 C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

----a-w 57,344 2003-09-17 16:43:36 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak\CTSysVol.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

----a-w 270,336 2003-09-21 15:21:16 C:\Program Files\Dell AIO Printer A960\bak\dlbfbmgr.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe

----a-w 286,720 2007-06-29 10:24:52 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\QuickTime\qttask.exe

----a-w 50,744 2005-05-23 18:20:28 C:\Program Files\Verizon Online\Help Support\bak\VERIZO~1.EXE

----a-w 385,024 2005-04-14 00:51:22 C:\Program Files\Verizon Online\Help Support\SmartBridge\bak\MotiveSB.exe
----a-w 14,860 2008-02-07 02:34:50 C:\Program Files\Verizon Online\Help Support\SmartBridge\MotiveSB.exe

----a-w 15,360 2004-08-04 11:00:00 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 11:00:00 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w 122,939 2004-08-13 07:05:00 C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe
----a-w 122,939 2004-08-13 07:05:00 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-02-06 21:34 14860]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-02-06 21:34 14860]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-06-29 05:24 286720]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-01-23 13:26 3429904]
"Motive SmartBridge"="C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe" [2008-02-06 21:34 14860]
"IPHSend"="C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe" [2008-02-06 21:34 14860]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-08-13 02:05 122939]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2008-02-06 21:34 14860]
"CTSysVol"="C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe" [2008-02-06 21:34 14860]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-02-06 21:34 14860]
"A Verizon App"="C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE" [2008-02-06 21:34 14860]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 06:00 53760 C:\WINDOWS\SYSTEM32\NARRATOR.EXE]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2004-11-14 14:47:07 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ulead Photo Express 4.0 SE Calendar Checker .lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk
backup=C:\WINDOWS\pss\Ulead Photo Express 4.0 SE Calendar Checker .lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AntiVirus Manager]
c:\windows\antivirusmanager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2004-08-23 19:19 57344 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
--a------ 2006-05-09 19:24 50760 C:\Program Files\Common Files\AOL\1129504521\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
--a------ 2004-07-01 16:20 212992 C:\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-09-11 04:40 218032 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-09-26 13:42 267064 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2006-01-19 10:06 11776 C:\PROGRA~1\MUSICM~1\MUSICM~2\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2004-06-10 12:51 60928 C:\WINDOWS\SYSTEM32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2004-04-11 21:15 290816 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpywareBot]
C:\Program Files\SpywareBot\SpywareBot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StrgSync.exe]
--a------ 2005-10-07 22:01 3032576 C:\Program Files\StorageSync\StrgSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 02:03 49263 C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2004-01-07 02:01 110592 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
--a------ 2004-11-10 23:15 111816 C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ymetray]
--a------ 2006-10-03 13:04 54776 C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe

S2 Ca536av;DV 5900(Video);C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-09-05 13:47]
S3 USBCamera;DV 5900(Still);C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 17:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7b19726d-d645-11dc-b80a-001111536897}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c69935cd-b9ea-11dc-b7f4-001111536897}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fc6cebd5-168d-11dc-b76d-001111536897}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 20:00:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-11 20:06:31
ComboFix-quarantined-files.txt 2008-02-12 01:06:26
ComboFix2.txt 2008-02-11 21:28:38


HijackThis log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:27 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ellen\Desktop\Security\Security HijackThis...Crusty\Crusty.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wearecentralpa.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [A Verizon App] C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/contr...vex/TmHcmsX.CAB
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://www.amiuptodate.com/vsc/bin/1,0,0,7...pdatePortal.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189110377281
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189110338500
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://www.vzwpix.com/activex/VerizonWirel...loadControl.cab
O16 - DPF: {8FD68625-2346-418A-8899-67CB36B1917F} (McciSM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {C32F59BF-180B-416A-ABF7-161060990A88} - http://download.verizon.net/sfp/Cabs/max_u...pdate_1-0-0.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Documents and Settings\All Users\Documents\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - Unknown owner - c:\program files\mcafee.com\agent\mcdetect.exe (file missing)
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - Unknown owner - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee SpamKiller Server (MskService) - Unknown owner - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 10545 bytes



That all folks!
Ellen

#11 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:14 AM

Posted 11 February 2008 - 08:54 PM

Ellen,

Your doing so well , :thumbsup: maybe you can be my stand in when I go on vacation???

Double-click FindAWF.exe to start the tool.
  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\AIM6\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Common Files\AOL\IPHSend\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\bak
C:\Program Files\Dell AIO Printer A960\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Verizon Online\Help Support\bak
C:\Program Files\Verizon Online\Help Support\SmartBridge\bak
C:\WINDOWS\SYSTEM32\bak
C:\WINDOWS\SYSTEM32\dla\bak


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.




C:\Program Files\Viewpoint <-- Delete this folder



Download: DelDomains and save it to the desktop.
  • Close all open windows and your browser
  • Right Click DelDomains.inf and select > Install
  • Reboot your computer
Internet Explorer is needed to run this properly.


Let me see the AWF log please

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#12 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 09:16 PM

Not so sure about the stnd-in gig....but I am feeling good about all your hard work!
Here we go.....

#13 EFS

EFS
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:03:14 AM

Posted 11 February 2008 - 09:28 PM

Here is the AWF log :

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 02/11/2008
The current time is: 21:18:30.76


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\TRENDM~1\INTERN~2\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

I tried to delete the Viewpoint folder.
It said I could NOT delete ViewMgr.exe : Access denied.....file may be in use

I will download DelDomains to my desktop now and run it. What is it?
Ellen

#14 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:14 AM

Posted 11 February 2008 - 09:38 PM

Deldomains will reset your Internet Explorer Trusted Zone, thats where this infection attached it self to.

Run option 1 again for FindAWF and post the log along with a new HJT log

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#15 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:04:14 AM

Posted 11 February 2008 - 09:41 PM

Please download OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Program Files\Viewpoint

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users