Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help With Hijackthis Log


  • This topic is locked This topic is locked
14 replies to this topic

#1 Mortimer Snodgrass

Mortimer Snodgrass

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 24 March 2008 - 10:32 AM

Hi all,

Please review and offer suggestions on what to fix in my HijackThis log. I have already run CCleaner, Ad-Aware 2007, and Spybot Search & Destroy, and these tools have removed some problems. However, I am still experiencing the problem of redirects when clicking on search engine results.

Also, on boot-up, I receive two separate error messages stating that the files "xoqruyks.dll" and "iivcnjj.dll" cannot be found; I notice entries related to these two files in the fourth and sixth lines of the O4 section below. I googled these two file names, but surprisingly received no matching hits.

Thanks in advance for your help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:02 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HijackThis\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.toshibadirect.com/dpdstart
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~2.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: {a6e767ea-ec6c-29c8-4f54-607f62771346} - {64317726-f706-45f4-8c92-c6ceae767e6a} - C:\WINDOWS\system32\fwbkrjlx.dll (file missing)
O2 - BHO: (no name) - {7B520471-7B84-47DD-8AEA-13512772DD37} - C:\WINDOWS\system32\browsew.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {D709A42F-432C-4676-A76D-5E7C3587A1D6} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\system32\awtrpml.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~2.DLL
O3 - Toolbar: CalorieKing Joslin Browser Toolbar - {4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC} - C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [b4bda793] rundll32.exe "C:\WINDOWS\system32\iiivcnjj.dll",b
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMb78e940f] Rundll32.exe "C:\WINDOWS\system32\xoqruyks.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://campash.brett-robinson.com/activex/AxisCamControl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photofinale.com/ImageUploader3/ImageUploader3.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O20 - Winlogon Notify: awtrpml - awtrpml.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9371 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 24 March 2008 - 06:09 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 24 March 2008 - 10:05 PM

Hi Sam,

Thanks for your help and your prompt reply. :thumbsup:

Here is my ComboFix log:

ComboFix 08-03-24.1 - Todd 2008-03-24 21:18:02.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.27 [GMT -5:00]
Running from: C:\Program Files\AdAware\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1201312837.old
C:\Program Files\WinBudget\bin\matrix.dll.1202004157.old
C:\Program Files\WinBudget\bin\tempzor
C:\Temp\isgTi19
C:\WINDOWS\BMb78e940f.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bjmtxeil.ini
C:\WINDOWS\system32\browsew.dll
C:\WINDOWS\system32\drivers\wpypbtsl.dat
C:\WINDOWS\system32\gfsqnfaf.ini
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\grvhtqff.ini
C:\WINDOWS\system32\jnyreugn.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\tcoicdas.ini
C:\WINDOWS\system32\vturrop.dll
C:\WINDOWS\system32\xykfpiyy.ini
C:\WINDOWS\system32\yayywvs.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WAKBDONV
-------\Service_wakbdonv


((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-23 20:14 . 2008-03-23 21:09 <DIR> d-------- C:\HijackThis
2008-03-23 19:33 . 2008-03-23 19:35 <DIR> d-------- C:\Documents and Settings\Todd\.housecall6.6
2008-03-22 20:31 . 2008-03-22 20:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-22 20:31 . 2008-03-23 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 19:47 . 2008-03-22 19:47 <DIR> d-------- C:\Program Files\CCleaner
2008-03-22 14:21 . 2008-03-22 14:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 14:21 . 2008-03-22 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 13:58 . 2008-03-24 21:06 <DIR> d-------- C:\Program Files\AdAware
2008-03-22 12:38 . 2008-03-22 12:41 <DIR> d-------- C:\Program Files\eSoftware
2008-03-22 12:36 . 2008-03-22 23:46 1,729,809 ---hs---- C:\WINDOWS\system32\jjncviii.ini
2008-03-14 16:27 . 2008-03-22 12:33 2,266,719 ---hs---- C:\WINDOWS\system32\jrmapvdr.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:16 --------- d-----w C:\Program Files\Recipe Calc
2008-03-23 00:11 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-03-23 00:05 --------- d-----w C:\Program Files\DeductionPro 2005-06
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-23 00:05 --------- d-----w C:\Program Files\America Online 9.0
2008-03-23 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-22 21:30 --------- d-----w C:\Program Files\iTunes
2008-03-22 19:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-13 03:34 --------- d-----w C:\Documents and Settings\Todd\Application Data\McAfee
2008-02-10 00:00 --------- d-----w C:\Program Files\QuickTime
2008-02-08 01:44 --------- d-----w C:\Documents and Settings\LocalService\Application Data\GOODSEARCH
2008-02-07 03:30 --------- d-----w C:\Documents and Settings\Todd\Application Data\AOL
2008-02-06 05:38 --------- d-----w C:\Program Files\Real
2007-12-31 04:13 1,272 ----a-w C:\Documents and Settings\Todd\Application Data\wklnhst.dat
2005-11-03 23:29 72,832 ----a-r C:\WINDOWS\inf\CamAvb.sys
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 344,064 2005-06-29 04:05:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-r 622,592 2006-03-28 20:48:54 C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe

----a-w 61,440 2006-04-10 19:58:06 C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe

----a-r 155,648 2003-10-14 15:22:30 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 68,856 2007-07-29 02:02:02 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 303,104 2005-09-23 00:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe

----a-w 212,992 2006-01-11 18:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe

----a-w 151,552 2005-07-09 00:18:22 C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe

----a-w 163,840 2005-08-10 17:49:20 C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe

----a-w 53,248 2005-08-12 03:02:44 C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 40,960 2005-03-17 19:45:52 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

----a-w 57,393 2005-03-17 19:25:54 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

----a-w 688,218 2004-10-08 21:43:12 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,394 2004-10-08 21:44:24 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 65,536 2004-12-30 07:32:20 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 122,880 2005-04-26 23:13:20 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe

----a-w 1,077,301 2004-09-07 21:03:20 C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe

----a-w 1,093,632 2005-08-01 21:25:44 C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe

----a-w 237,568 2006-04-20 06:35:00 C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe

----a-w 475,136 2003-10-20 16:37:58 C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe

----a-w 151,552 2005-03-18 00:37:26 C:\TOSHIBA\IVP\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 122,941 2005-05-31 12:33:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

----a-w 36,864 2000-05-09 15:38:48 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64317726-f706-45f4-8c92-c6ceae767e6a}]
C:\WINDOWS\system32\fwbkrjlx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D709A42F-432C-4676-A76D-5E7C3587A1D6}]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-22 12:38 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= "C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL" [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [ ]
"b4bda793"="C:\WINDOWS\system32\iiivcnjj.dll" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"BMb78e940f"="C:\WINDOWS\system32\xoqruyks.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-09 16:54:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrpml]
awtrpml.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 23:42]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 19:08]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 17:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 16:27]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 busbcrw;USB Card Reader Writer driver;C:\WINDOWS\system32\Drivers\busbcrw.sys [2003-04-22 19:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51d279c5-5443-11dc-b613-00038a000015}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 12:29:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 21:27:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-24 21:35:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 02:35:20
.
2008-03-23 22:06:55 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 25 March 2008 - 06:48 AM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\jjncviii.ini
C:\WINDOWS\system32\jrmapvdr.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64317726-f706-45f4-8c92-c6ceae767e6a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D709A42F-432C-4676-A76D-5E7C3587A1D6}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"b4bda793"=-
"BMb78e940f"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrpml]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.


===================


Click HERE to download FindAWF.exe and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 25 March 2008 - 11:15 PM

Here are the ComboFix, HijackThis, and AWF logs.

First, ComboFix:

ComboFix 08-03-24.1 - Todd 2008-03-25 22:00:21.2 - NTFSx86
Running from: C:\Documents and Settings\Todd\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Todd\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\jjncviii.ini
C:\WINDOWS\system32\jrmapvdr.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jjncviii.ini
C:\WINDOWS\system32\jrmapvdr.ini

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-23 20:14 . 2008-03-23 21:09 <DIR> d-------- C:\HijackThis
2008-03-23 19:33 . 2008-03-23 19:35 <DIR> d-------- C:\Documents and Settings\Todd\.housecall6.6
2008-03-22 20:31 . 2008-03-22 20:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-22 20:31 . 2008-03-23 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 19:47 . 2008-03-22 19:47 <DIR> d-------- C:\Program Files\CCleaner
2008-03-22 14:21 . 2008-03-22 14:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 14:21 . 2008-03-22 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 13:58 . 2008-03-25 21:56 <DIR> d-------- C:\Program Files\AdAware
2008-03-22 12:38 . 2008-03-22 12:41 <DIR> d-------- C:\Program Files\eSoftware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-23 00:16 --------- d-----w C:\Program Files\Recipe Calc
2008-03-23 00:11 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-03-23 00:05 --------- d-----w C:\Program Files\DeductionPro 2005-06
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-23 00:05 --------- d-----w C:\Program Files\America Online 9.0
2008-03-23 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-22 21:30 --------- d-----w C:\Program Files\iTunes
2008-03-22 19:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-13 03:34 --------- d-----w C:\Documents and Settings\Todd\Application Data\McAfee
2008-02-10 00:00 --------- d-----w C:\Program Files\QuickTime
2008-02-08 01:44 --------- d-----w C:\Documents and Settings\LocalService\Application Data\GOODSEARCH
2008-02-07 03:30 --------- d-----w C:\Documents and Settings\Todd\Application Data\AOL
2008-02-06 05:38 --------- d-----w C:\Program Files\Real
2007-12-31 04:13 1,272 ----a-w C:\Documents and Settings\Todd\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 344,064 2005-06-29 04:05:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-r 622,592 2006-03-28 20:48:54 C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe

----a-w 61,440 2006-04-10 19:58:06 C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe

----a-r 155,648 2003-10-14 15:22:30 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe

----a-w 68,856 2007-07-29 02:02:02 C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe

----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 256,576 2006-10-30 14:36:36 C:\Program Files\iTunes\iTunesHelper.exe

----a-w 303,104 2005-09-23 00:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe

----a-w 212,992 2006-01-11 18:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe

----a-w 151,552 2005-07-09 00:18:22 C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe

----a-w 163,840 2005-08-10 17:49:20 C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe

----a-w 53,248 2005-08-12 03:02:44 C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe

----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 40,960 2005-03-17 19:45:52 C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe

----a-w 57,393 2005-03-17 19:25:54 C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe

----a-w 688,218 2004-10-08 21:43:12 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe

----a-w 98,394 2004-10-08 21:44:24 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe

----a-w 65,536 2004-12-30 07:32:20 C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe

----a-w 122,880 2005-04-26 23:13:20 C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe

----a-w 1,077,301 2004-09-07 21:03:20 C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe

----a-w 1,093,632 2005-08-01 21:25:44 C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe

----a-w 237,568 2006-04-20 06:35:00 C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe

----a-w 475,136 2003-10-20 16:37:58 C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe

----a-w 151,552 2005-03-18 00:37:26 C:\TOSHIBA\IVP\ISM\bak\pinger.exe

----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 12:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 122,941 2005-05-31 12:33:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe

----a-w 36,864 2000-05-09 15:38:48 C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-22 12:38 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= "C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL" [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="c:\program files\mcafee.com\vso\mcvsshld.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-09 16:54:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 23:42]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 19:08]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 17:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 16:27]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 busbcrw;USB Card Reader Writer driver;C:\WINDOWS\system32\Drivers\busbcrw.sys [2003-04-22 19:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51d279c5-5443-11dc-b613-00038a000015}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 12:29:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 22:04:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-25 22:07:35
ComboFix-quarantined-files.txt 2008-03-26 03:07:29
ComboFix2.txt 2008-03-25 02:35:27
.
2008-03-23 22:06:55 --- E O F ---


Next, the new HijackThis log (I notice the entries in the O4 section pertaining to the files "xoqruyks.dll" and "iivcnjj.dll" are no longer present):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:08 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~2.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: IE - {D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E} - C:\Program Files\eSoftware\studio.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: GoodSearch Toolbar - {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - C:\PROGRA~1\GOODSE~1\GOODSE~2.DLL
O3 - Toolbar: CalorieKing Joslin Browser Toolbar - {4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC} - C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\bak\mcupdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) - http://webiq005.webiqonline.com/WebIQ/Data...6-6D5536C585C9}
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://campash.brett-robinson.com/activex/AxisCamControl.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photofinale.com/ImageUploader3/ImageUploader3.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activex/v2_...upv2.0.0.10.cab?
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8612 bytes

And last, the AWF.txt log:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Tue 03/25/2008
The current time is: 22:37:19.96


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/28/2005 11:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\BROTHER\BRMFCMON\BAK

03/28/2006 03:48 PM 622,592 BrMfcWnd.exe
1 File(s) 622,592 bytes

Directory of C:\PROGRA~1\BROTHER\CONTRO~1\BAK

04/10/2006 02:58 PM 61,440 brctrcen.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/28/2007 09:02 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 07:29 PM 303,104 mcagent.exe
01/11/2006 01:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

07/08/2005 07:18 PM 151,552 mcmnhdlr.exe
08/10/2005 12:49 PM 163,840 mcvsshld.exe
08/11/2005 10:02 PM 53,248 oasclnt.exe
3 File(s) 368,640 bytes

Directory of C:\PROGRA~1\SCANSOFT\PAPERP~1\BAK

03/17/2005 02:45 PM 40,960 IndexSearch.exe
03/17/2005 02:25 PM 57,393 pptd40nt.exe
2 File(s) 98,353 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/08/2004 04:43 PM 688,218 SynTPEnh.exe
10/08/2004 04:44 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

12/30/2004 02:32 AM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~2\BAK

04/26/2005 06:13 PM 122,880 SmoothView.exe
1 File(s) 122,880 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHA~1\BAK

09/07/2004 04:03 PM 1,077,301 PadExe.exe
1 File(s) 1,077,301 bytes

Directory of C:\PROGRA~1\TOSHIBA\WINDOW~1\BAK

08/01/2005 04:25 PM 1,093,632 Hotkey.exe
1 File(s) 1,093,632 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/20/2003 11:37 AM 475,136 ivpsvmgr.exe
03/17/2005 07:37 PM 151,552 pinger.exe
2 File(s) 626,688 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 07:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK

10/14/2003 10:22 AM 155,648 SSBkgdupdate.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

04/20/2006 01:35 AM 237,568 mssysmgr.exe
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK

05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 22 2008 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Jun 28 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
622592 Mar 28 2006 "C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe"
61440 Apr 10 2006 "C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe"
52272 Feb 11 2007 "C:\Program Files\Google\googletoolbar4user.exe"
138168 Feb 11 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 28 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
53248 Aug 11 2005 "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
40960 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
57393 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
688218 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
65536 Dec 30 2004 "C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
122880 Apr 26 2005 "C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe"
1077301 Sep 7 2004 "C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe"
1093632 Aug 1 2005 "C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
155648 Oct 14 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
237568 Apr 20 2006 "C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


end of report

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 26 March 2008 - 06:27 AM

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe"
"C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
"C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
"C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe"
"C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe"
"C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe"
"C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
"C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 26 March 2008 - 10:00 PM

Here is the content of the AWF.txt file.

Thanks for all of your help so far!


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 03/26/2008
The current time is: 21:42:15.17


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/28/2005 11:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\BROTHER\BRMFCMON\BAK

03/28/2006 03:48 PM 622,592 BrMfcWnd.exe
1 File(s) 622,592 bytes

Directory of C:\PROGRA~1\BROTHER\CONTRO~1\BAK

04/10/2006 02:58 PM 61,440 brctrcen.exe
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

07/28/2007 09:02 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK

09/22/2005 07:29 PM 303,104 mcagent.exe
01/11/2006 01:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK

07/08/2005 07:18 PM 151,552 mcmnhdlr.exe
08/10/2005 12:49 PM 163,840 mcvsshld.exe
08/11/2005 10:02 PM 53,248 oasclnt.exe
3 File(s) 368,640 bytes

Directory of C:\PROGRA~1\SCANSOFT\PAPERP~1\BAK

03/17/2005 02:45 PM 40,960 IndexSearch.exe
03/17/2005 02:25 PM 57,393 pptd40nt.exe
2 File(s) 98,353 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

10/08/2004 04:43 PM 688,218 SynTPEnh.exe
10/08/2004 04:44 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSCDSPD\BAK

12/30/2004 02:32 AM 65,536 toscdspd.exe
1 File(s) 65,536 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOSHIB~2\BAK

04/26/2005 06:13 PM 122,880 SmoothView.exe
1 File(s) 122,880 bytes

Directory of C:\PROGRA~1\TOSHIBA\TOUCHA~1\BAK

09/07/2004 04:03 PM 1,077,301 PadExe.exe
1 File(s) 1,077,301 bytes

Directory of C:\PROGRA~1\TOSHIBA\WINDOW~1\BAK

08/01/2005 04:25 PM 1,093,632 Hotkey.exe
1 File(s) 1,093,632 bytes

Directory of C:\TOSHIBA\IVP\ISM\BAK

10/20/2003 11:37 AM 475,136 ivpsvmgr.exe
03/17/2005 07:37 PM 151,552 pinger.exe
2 File(s) 626,688 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 07:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK

10/14/2003 10:22 AM 155,648 SSBkgdupdate.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\WALGRE~1\WALGRE~1\DATA\XTRAS\BAK

04/20/2006 01:35 AM 237,568 mssysmgr.exe
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\2\BAK

05/09/2000 10:38 AM 36,864 printray.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Mar 22 2008 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
344064 Jun 28 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Jun 28 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
622592 Mar 28 2006 "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe"
622592 Mar 28 2006 "C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe"
61440 Apr 10 2006 "C:\Program Files\Brother\ControlCenter3\brctrcen.exe"
61440 Apr 10 2006 "C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe"
52272 Feb 11 2007 "C:\Program Files\Google\googletoolbar4user.exe"
68856 Jul 28 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138168 Feb 11 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 28 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
53248 Aug 11 2005 "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
53248 Aug 11 2005 "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
40960 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
40960 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
57393 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
57393 Mar 17 2005 "C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
688218 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
688218 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
688218 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
98394 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe"
98394 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
98394 Oct 8 2004 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
65536 Dec 30 2004 "C:\Program Files\Toshiba\TOSCDSPD\toscdspd.exe"
65536 Dec 30 2004 "C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
122880 Apr 26 2005 "C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe"
122880 Apr 26 2005 "C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe"
1077301 Sep 7 2004 "C:\Program Files\Toshiba\Touch and Launch\PadExe.exe"
1077301 Sep 7 2004 "C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe"
1093632 Aug 1 2005 "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe"
1093632 Aug 1 2005 "C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\ivpsvmgr.exe"
475136 Oct 20 2003 "C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\pinger.exe"
151552 Mar 17 2005 "C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
155648 Oct 14 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
155648 Oct 14 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
237568 Apr 20 2006 "C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\mssysmgr.exe"
237568 Apr 20 2006 "C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\PrinTray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe"
36864 May 9 2000 "C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"


end of report

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 27 March 2008 - 07:21 AM

Well that didn't work, so we're going to have to do this manually. First I want to explain what this particular infection does on your computer. It copies itself to files that typically run on startup and then moves the original file into a new folder named "bak". What we need to do is to copy the original file back to the correct place and then delete the "bak" folder.

Go to first folder: C:\Program Files\iTunes\bak
You'll find iTunesHelper.exe in there. Cut and paste the iTunesHelper.exe file back to the original C:\Program Files\iTunes-folder
The C:\Program Files\iTunes\bak should be empty now and the iTunesHelper.exe file should be back in the C:\Program Files\iTunes-folder, doublecheck this.
Then delete the BAK folder there.


Now you'll need to repeat that same process with the files in these folders.

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
"C:\Program Files\Brother\Brmfcmon\bak\BrMfcWnd.exe"
"C:\Program Files\Brother\ControlCenter3\bak\brctrcen.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
"C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\IndexSearch.exe"
"C:\Program Files\ScanSoft\PaperPort\bak\pptd40nt.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\Program Files\Toshiba\TOSCDSPD\bak\toscdspd.exe"
"C:\Program Files\Toshiba\TOSHIBA Zooming Utility\bak\SmoothView.exe"
"C:\Program Files\Toshiba\Touch and Launch\bak\PadExe.exe"
"C:\Program Files\Toshiba\Windows Utilities\bak\Hotkey.exe"
"C:\TOSHIBA\IVP\ISM\bak\ivpsvmgr.exe"
"C:\TOSHIBA\IVP\ISM\bak\pinger.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Walgreens\Walgreens PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\2\bak\printray.exe"



Let me know if you have any questions about how to proceed.

When you are done please post a new combofix log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 27 March 2008 - 03:56 PM

Sam,

I was able to manually delete all files and bak folders except the following, which gave me a message saying I could not replace the existing file:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
"C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"

Here is the new ComboFix log. I will be away from the computer for several days, so I will check in again with you on Sunday evening. Thanks so much for your help.

ComboFix 08-03-24.1 - Todd 2008-03-27 15:29:29.3 - NTFSx86
Running from: C:\Documents and Settings\Todd\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
Findstr -MRF:/ "cies\\Explorer\\Run Always.CallByControl.GetPlayerVersion.Stop.playAd"
CF25614.exe /c " VFind.exe -ltf -s-1000000 -d+2007-12-27 "C:\Program Files\*" >progfile.dat"
VFind.exe -ltf -s-1000000 -d+2007-12-27 "C:\Program Files\*"
CF25614.exe /c " dir /a/s/b C:\_desktop.ini C:\desktop_.ini C:\cnsmin* C:\_install.exe >DirRoot"

((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-27 06:43 . 2008-03-27 06:44 <DIR> d-------- C:\WINDOWS\LastGood
2008-03-23 20:14 . 2008-03-25 22:21 <DIR> d-------- C:\HijackThis
2008-03-23 19:33 . 2008-03-23 19:35 <DIR> d-------- C:\Documents and Settings\Todd\.housecall6.6
2008-03-22 20:31 . 2008-03-22 20:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-22 20:31 . 2008-03-23 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 19:47 . 2008-03-22 19:47 <DIR> d-------- C:\Program Files\CCleaner
2008-03-22 14:21 . 2008-03-22 14:21 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-22 14:21 . 2008-03-22 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-22 13:58 . 2008-03-26 21:49 <DIR> d-------- C:\Program Files\AdAware
2008-03-22 12:38 . 2008-03-22 12:41 <DIR> d-------- C:\Program Files\eSoftware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 20:06 --------- d-----w C:\Program Files\QuickTime
2008-03-23 00:16 --------- d-----w C:\Program Files\Recipe Calc
2008-03-23 00:11 --------- d-----w C:\Program Files\Lexmark Toolbar
2008-03-23 00:05 --------- d-----w C:\Program Files\DeductionPro 2005-06
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-23 00:05 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-23 00:05 --------- d-----w C:\Program Files\America Online 9.0
2008-03-23 00:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-03-22 21:30 --------- d-----w C:\Program Files\iTunes
2008-03-22 19:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 03:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-02-13 03:34 --------- d-----w C:\Documents and Settings\Todd\Application Data\McAfee
2008-02-08 01:44 --------- d-----w C:\Documents and Settings\LocalService\Application Data\GOODSEARCH
2008-02-07 03:30 --------- d-----w C:\Documents and Settings\Todd\Application Data\AOL
2008-02-06 05:38 --------- d-----w C:\Program Files\Real
2007-12-31 04:13 1,272 ----a-w C:\Documents and Settings\Todd\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-24_21.33.50.04 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-08-10 16:22:10 114,464 ----a-w C:\WINDOWS\LastGood\system32\DRIVERS\naiavf5x.sys
+ 2000-05-09 15:38:48 36,864 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\2\printray.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D83A7B12-A4D4-4984-8F72-D41C6B4C1E6E}]
2008-03-22 12:38 282636 --a------ C:\Program Files\eSoftware\studio.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= "C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL" [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4516D1E3-BC1A-4B2F-83EC-F4D0302CD5AC}"= C:\PROGRA~1\CALORI~1\CALORI~1\CKTOOL~1.DLL [2007-07-26 12:16 103808]

[HKEY_CLASSES_ROOT\clsid\{4516d1e3-bc1a-4b2f-83ec-f4d0302cd5ac}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{5394A76B-F52F-4149-8E55-3291DC4563F2}]
[HKEY_CLASSES_ROOT\CKToolbar.CKToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NDSTray.exe"="NDSTray.exe" []
"MCUpdateExe"="c:\PROGRA~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 13:05 212992]
"VirusScan Online"="C:\Program Files\McAfee.com\VSO\mcvsshld.exe" [2005-08-10 12:49 163840]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 09:36 256576]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\McAgent.exe" [2005-09-22 19:29 303104]
"VSOCheckTask"="C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" [2005-07-08 19:18 151552]
"OASClnt"="C:\Program Files\McAfee.com\VSO\oasclnt.exe" [2005-08-11 22:02 53248]
"CleanUp"="C:\PROGRA~1\McAfee.com\Shared\mcappins.exe" [2006-01-23 17:55 131072]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2005-11-04 15:04:48 176128]
RAMASST.lnk - C:\WINDOWS\system32\RAMASST.exe [2005-08-09 16:54:50 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 BoiHwsetup;Access 32bits INT15 routine;C:\WINDOWS\system32\drivers\BoiHwSetup.sys [2005-06-10 23:42]
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys [2005-03-31 19:08]
R3 qkbfiltr;Quanta HotKey Keyboard Filter Driver;C:\WINDOWS\system32\drivers\qkbfiltr.sys [2005-05-09 17:17]
R3 qmofiltr;Quanta HotKey Mouse Filter Driver;C:\WINDOWS\system32\drivers\qmofiltr.sys [2005-05-05 16:27]
S3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 12:50]
S3 busbcrw;USB Card Reader Writer driver;C:\WINDOWS\system32\Drivers\busbcrw.sys [2003-04-22 19:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51d279c5-5443-11dc-b613-00038a000015}]
\Shell\AutoRun\command - E:\Autorun.exe /run
\Shell\Shell00\Command - E:\Autorun.exe /run
\Shell\Shell01\Command - E:\Autorun.exe /action
\Shell\Shell02\Command - E:\Autorun.exe /uninstall

.
Contents of the 'Scheduled Tasks' folder
"2008-02-04 12:29:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 15:35:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-27 15:38:09
ComboFix-quarantined-files.txt 2008-03-27 20:38:02
ComboFix2.txt 2008-03-26 03:07:36
ComboFix3.txt 2008-03-25 02:35:27
.
2008-03-23 22:06:55 --- E O F ---

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 27 March 2008 - 05:32 PM

No problem on the delay. I'm sure to be around. :thumbsup:
Your log looks much better, but we want to be sure we didn't miss anything.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 30 March 2008 - 10:38 PM

I'm back! Thanks for all your help. Here is the log from the Kaspersky scan. Looks like there still are some infected files.

Also, what should I do about the 5 files that I could not manually replace and delete last Thursday (iTunesHelper.exe, ctfmon.exe, mcagent.exe, mcvsshld.exe, and oasclnt.exe)?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 30, 2008 10:21:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 673658
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 63787
Number of viruses found: 18
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 01:01:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\MSHist012008033020080331\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Todd\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\wpypbtsl.dat.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-03-24_212726.34.zip/wpypbtsl.dat Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-03-24_212726.34.zip/wpypbtsl.dat.1 Infected: Rootkit.Win32.Agent.aap skipped
C:\QooBox\Quarantine\catchme2008-03-24_212726.34.zip ZIP: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP12\A0006324.exe Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP12\A0006329.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006348.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006349.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006360.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.j skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006361.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.k skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006362.dll Infected: not-a-virus:AdWare.Win32.SearchAssistant.l skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006367.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006373.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006374.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006375.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006376.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006377.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006377.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006378.exe Infected: not-virus:Hoax.Win32.Renos.ati skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP13\A0006379.exe Infected: Trojan-Downloader.Win32.Agent.lqu skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP15\A0006419.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP15\A0006420.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP18\change.log Object is locked skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP3\A0001016.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP3\A0001025.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP6\A0002250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP6\A0002251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0002377.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0002584.exe Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0003588.exe Infected: Trojan-Downloader.Win32.Agent.kvv skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0003589.dll Infected: Trojan.Win32.Pakes.cdw skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0004579.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0004587.exe Infected: Trojan-Downloader.Win32.Agent.lbx skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP8\A0005579.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP9\A0005611.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.bo skipped
C:\System Volume Information\_restore{F6221601-BABC-4B69-922D-F7E899FB13E9}\RP9\A0005616.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.bp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\T30DebugLogFile.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 31 March 2008 - 06:14 AM

Delete this file manually.

C:\WINDOWS\Downloaded Program Files\popcaploader.dll


Also, what should I do about the 5 files that I could not manually replace and delete last Thursday (iTunesHelper.exe, ctfmon.exe, mcagent.exe, mcvsshld.exe, and oasclnt.exe)?

Those files do not appear to be infected or they would have shown up in the Kaspersky scan.

So you should be good to go. :thumbsup:

How is your computer working? Any problems?

Edited by Buckeye_Sam, 31 March 2008 - 06:14 AM.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Mortimer Snodgrass

Mortimer Snodgrass
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:04 AM

Posted 31 March 2008 - 09:16 PM

I manually deleted popcaploader.dll (actually the entire object) by right-clicking on the icon and selecting "Remove."

Knock on wood, my computer seems to be working much, much better. The browser redirects and boot-up error messages that prompted this clean-up effort have been absent the last several days. The McAfee Security Center, which previously displayed an error message saying it could not load, now loads and operates just fine.

Is there any final scan or test I should run to confirm everything is OK?

Thanks for all your help.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 01 April 2008 - 06:46 AM

Based off your description of how your computer is working now you don't have any active malware affecting your computer. There could be traces left over in your registry that should be picked up and removed by Adaware or Spybot. I've posted more info on those two programs below. I definitely recommend their regular use.



Just a few last things and you should be good to go! :thumbsup:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:wacko: :blink:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:04 AM

Posted 21 April 2008 - 07:15 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users