Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running slow, especially some websites


  • This topic is locked This topic is locked
17 replies to this topic

#1 NotACylon

NotACylon

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 14 February 2009 - 01:25 AM

My PC has got slower in the past months. The info you provide is good as a starter to find cause, but is still slow. I have run Microsofts Malicious software removal tool, Malwarebytes' Anti-Malware, RootkitRevealer and have AVG running. Have defraged my hard drive and paging file. Wondering why some websites have become so slow. Ran HijackThis and it did indicate one potential issue (doginhispen.com) and not sure what else. I searched for how to solve doginhispen.com and got very different answers, some as drastic as reinstalling OS (XP SP 1). Should I post the HijackThis log in that forum or something else?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 14 February 2009 - 10:18 AM

Hello and welcome. Please do these and we'll determine if we can fix this withoout the HJT.

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Now run this.
Click HERE to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 1, then press Enter.
FindAWF tool will begin scanning.
It may take a few minutes to complete so be patient.
When the scan is finished, a text file in notepad called AWF.txt will automatically open.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 17 February 2009 - 12:42 AM

Thanks for the help. I ran programs as specified and here are the results -

Note that I save cookies in folders before I delete them, since they contain log in info for websites. I didn't include tracking cookies in those folders found by SUPERAntiSpyware:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/16/2009 at 09:01 PM

Application Version : 4.25.1012

Core Rules Database Version : 3760
Trace Rules Database Version: 1722

Scan type : Complete Scan
Total Scan Time : 03:18:26

Memory items scanned : 235
Memory threats detected : 0
Registry items scanned : 6657
Registry threats detected : 0
File items scanned : 87419
File threats detected : 657

Adware.Tracking Cookie
C:\Documents and Settings\James\Cookies\james@2o7[2].txt
C:\Documents and Settings\James\Cookies\james@ads.monster[2].txt
C:\Documents and Settings\James\Cookies\james@media.adrevolver[1].txt
C:\Documents and Settings\James\Cookies\james@doubleclick[1].txt
C:\Documents and Settings\James\Cookies\james@adinterax[2].txt
C:\Documents and Settings\James\Cookies\james@adserver.adtechus[1].txt
C:\Documents and Settings\James\Cookies\james@serving-sys[1].txt
C:\Documents and Settings\James\Cookies\james@interclick[2].txt
C:\Documents and Settings\James\Cookies\james@mediaplex[1].txt
C:\Documents and Settings\James\Cookies\james@adopt.euroclick[2].txt
C:\Documents and Settings\James\Cookies\james@hitbox[2].txt
C:\Documents and Settings\James\Cookies\james@cb.adbureau[1].txt
C:\Documents and Settings\James\Cookies\james@specificmedia[2].txt
C:\Documents and Settings\James\Cookies\james@a1.interclick[2].txt
C:\Documents and Settings\James\Cookies\james@ads.pointroll[1].txt
C:\Documents and Settings\James\Cookies\james@tribalfusion[1].txt
C:\Documents and Settings\James\Cookies\james@richmedia.yahoo[2].txt
C:\Documents and Settings\James\Cookies\james@bs.serving-sys[2].txt
C:\Documents and Settings\James\Cookies\james@ehg-speakeasy.hitbox[2].txt
C:\Documents and Settings\James\Cookies\james@nextag[2].txt
C:\Documents and Settings\James\Cookies\james@ad.yieldmanager[1].txt
C:\Documents and Settings\James\Cookies\james@adopt.specificclick[1].txt
C:\Documents and Settings\James\Cookies\james@advertising[1].txt
C:\Documents and Settings\James\Cookies\james@specificclick[1].txt
C:\Documents and Settings\James\Cookies\james@trafficmp[2].txt
C:\Documents and Settings\James\Cookies\james@adrevolver[2].txt
C:\Documents and Settings\James\Cookies\james@adlegend[2].txt
C:\Documents and Settings\James\Cookies\james@media6degrees[1].txt
C:\Documents and Settings\James\Cookies\james@ehg-jobster.hitbox[2].txt
C:\Documents and Settings\James\Cookies\james@atdmt[2].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\james@ads.ah-ha[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\james@ads.monster[1].txt

Disk D: on my system is a backup for C:, last backed up 2/7. AWF took almost 2 hours to run (Have about 100K files on my system). Looks like it finds any folder name ending in "bak". I sometimes create folders with that name:

Find AWF report by noahdfear 2006
Version 1.40

The current date is: Mon 02/16/2009
The current time is: 21:22:27.10


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MIAF83~1\BAK

11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/14/2003 08:16 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/25/2002 02:30 AM 290,816 khooker.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
03/19/2002 04:30 PM 45,632 taskswitch.exe
3 File(s) 492,096 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

08/16/2007 12:10 PM 416,256 avgcc.exe
1 File(s) 416,256 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 06:32 PM 155,648 ISStart.exe
12/10/2002 06:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 09:49 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 05:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

11/08/2005 09:35 AM 36,864 LogitechDesktopMessenger.exe
1 File(s) 36,864 bytes

Directory of D:\PROGRA~1\MICROS~2\BAK

11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of D:\PROGRA~1\QUICKT~1\BAK

05/14/2003 08:16 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of D:\WINDOWS\SYSTEM32\BAK

01/25/2002 02:30 AM 290,816 khooker.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
03/19/2002 04:30 PM 45,632 taskswitch.exe
3 File(s) 492,096 bytes

Directory of D:\PROGRA~1\GRISOFT\AVG7\BAK

08/16/2007 12:10 PM 416,256 avgcc.exe
1 File(s) 416,256 bytes

Directory of D:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 06:32 PM 155,648 ISStart.exe
12/10/2002 06:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of D:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 09:49 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of D:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of D:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 05:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of D:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

0 File(s) 0 bytes

Directory of D:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of D:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

11/08/2005 09:35 AM 36,864 LogitechDesktopMessenger.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
98304 May 28 2008 "C:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
98304 May 28 2008 "D:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\bak\qttask.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\bak\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\bak\khooker.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\bak\NeroCheck.exe"
545936 Jun 15 2006 "C:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\bak\taskswitch.exe"
545936 Jun 15 2006 "D:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\bak\taskswitch.exe"
590848 Oct 17 2008 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
590848 Oct 17 2008 "D:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
39792 Oct 15 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
39792 Oct 15 2008 "D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
127022 Dec 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
127022 Dec 10 2002 "D:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "D:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
98304 May 28 2008 "C:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
98304 May 28 2008 "D:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\bak\qttask.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\bak\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\bak\khooker.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\bak\NeroCheck.exe"
545936 Jun 15 2006 "C:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\bak\taskswitch.exe"
545936 Jun 15 2006 "D:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\bak\taskswitch.exe"
590848 Oct 17 2008 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
590848 Oct 17 2008 "D:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
39792 Oct 15 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
39792 Oct 15 2008 "D:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
127022 Dec 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
127022 Dec 10 2002 "D:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "D:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 17 February 2009 - 01:45 PM

Hi, you do have an AWF infection. Befoer I can do the next step I need to know if any of Your created Bak files are in the list. If so,which,thanks.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 17 February 2009 - 06:10 PM

I did a search in Explorer of bak on the C: drive to get full path names. None of the bak folders are ones I created. Since they are all related to programs, not sure if installing a later version of a program ever creates one. They contain .exe files, sometimes their parent directory contains the same file with a later date. There was an odd one "LogitechDesktopMessenger.exe.appid.8876480" with no size in the parent directory, where the bak folder has
LogitechDesktopMessenger.exe.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 18 February 2009 - 12:10 PM

Hello, I have to workout all those Bak files and will post a step for that. In the meantime let's be certain there is nothing else here and run MBaM.

MBAM:
Please download Malwarebytes Anti-Malware (v1.32) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 18 February 2009 - 02:37 PM

Turns out, I ran MBAM just before my post, but did Full Scan:
Malwarebytes' Anti-Malware 1.33
Database version: 1747
Windows 5.1.2600 Service Pack 1

2/11/2009 1:08:44 PM
mbam-log-2009-02-11 (13-08-44).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 330041
Time elapsed: 2 hour(s), 8 minute(s), 15 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\cpbrkpie.coupon6ctrl.1 (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9522b3fb-7a2b-4646-8af6-36e7f593073c} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a85a5e6a-de2c-4f4e-99dc-f469df5a0eec} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{87255c51-cd7d-4506-b9ad-97606daf53f3} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e780f0b-bcd6-40cb-b2db-7af47ab4d4a4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a138be8b-f051-4802-9a3f-a750a6d862d4} (Adware.Coupons) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\CouponPrinter.ocx (Adware.Coupons) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\W5SDUN45\gu[1].aspx (Adware.Agent) -> Quarantined and deleted successfully.
D:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\W5SDUN45\gu[2].aspx (Adware.Agent) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\cpnprt2.cid (Adware.Agent) -> Quarantined and deleted successfully.

I also noticed all the bak folders created same date and time 8/16/07 2PM.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 18 February 2009 - 03:14 PM

I am wrinting thw AWF step still. You will ned to install sevice pack 2 later.
The MBAM database is a bit old.
Rerun MBAM like this,

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan.
After scan click Remove Selected, Post new scan log and Rebootinto normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 18 February 2009 - 04:43 PM

As there are a lot here we may do this more than once.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow steps below:

Copy the file paths in quote below to the clipboard, highlight all of them right-click and choose copy, or highlight them and press Ctrl+C:

"C:\Program Files\QuickTime\bak\qttask.exe"
"D:\Program Files\QuickTime\bak\qttask.exe
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE
"C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
"D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
"C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
"D:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"D:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\system32\bak\khooker.exe"
"D:\WINDOWS\system32\bak\khooker.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"D:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\WINDOWS\system32\bak\taskswitch.exe"
"D:\WINDOWS\system32\bak\taskswitch.exe"
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"D:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
"C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"D:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
"D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
"D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"


Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.
Type 2, then press Enter.
Press any key to continue.
A Notepad document files.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below the line and paste the list of files that were copied to the clipboard (Ctrl+V).
Close Notepad and you will receive prompt to save the changes, click Yes.
The program will proceed with working.
It may take a few minutes to complete so be patient.
When the scan is finished, it will open a text file in notepad called AWF.txt.
Return to this thread and copy and paste the contents of the AWF.txt file in your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 18 February 2009 - 08:28 PM

To rerun MBAM post:
Came back with no errors:
Malwarebytes' Anti-Malware 1.34
Database version: 1776
Windows 5.1.2600 Service Pack 1

2/18/2009 7:47:33 PM
mbam-log-2009-02-18 (19-47-33).txt

Scan type: Quick Scan
Objects scanned: 85916
Time elapsed: 21 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
I realized when I ran CCleaner and cleaned out registry keys, I might have cleaned out a few keys that refer to files that were moved to bak folders, so I went through CCleaner .reg file looking for such keys and found 4 of them and created a .reg file that I have yet to open(put into registry). Should I put them back in?
Have't upgraded to SP2 yet as I know there could be problems, but now know support for SP1 is gone. WIll it be slower?
Just saw your next post..

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 18 February 2009 - 09:12 PM

Hi,yes put it back in. Will what be slower the PC? I don't think so and it will be less prone to these types of infection.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 19 February 2009 - 01:06 AM

I put registry keys back in, ran CCleaner looking for registry issues and none with files in bak folder showed up.
Will what be slower the PC? - I wondering if running with XP SP2 will make my PC slower?
AWF.txt:

Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: Wed 02/18/2009
The current time is: 20:35:28.20


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MIAF83~1\BAK

11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

05/14/2003 08:16 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

01/25/2002 02:30 AM 290,816 khooker.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
03/19/2002 04:30 PM 45,632 taskswitch.exe
3 File(s) 492,096 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

08/16/2007 12:10 PM 416,256 avgcc.exe
1 File(s) 416,256 bytes

Directory of C:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 06:32 PM 155,648 ISStart.exe
12/10/2002 06:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 09:49 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 05:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

11/08/2005 09:35 AM 36,864 LogitechDesktopMessenger.exe
1 File(s) 36,864 bytes

Directory of D:\PROGRA~1\MICROS~2\BAK

11/15/2005 12:12 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of D:\PROGRA~1\QUICKT~1\BAK

05/14/2003 08:16 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of D:\WINDOWS\SYSTEM32\BAK

01/25/2002 02:30 AM 290,816 khooker.exe
07/09/2001 04:50 AM 155,648 NeroCheck.exe
03/19/2002 04:30 PM 45,632 taskswitch.exe
3 File(s) 492,096 bytes

Directory of D:\PROGRA~1\GRISOFT\AVG7\BAK

08/16/2007 12:10 PM 416,256 avgcc.exe
1 File(s) 416,256 bytes

Directory of D:\PROGRA~1\LOGITECH\IMAGES~1\BAK

12/10/2002 06:32 PM 155,648 ISStart.exe
12/10/2002 06:31 PM 61,440 LogiTray.exe
2 File(s) 217,088 bytes

Directory of D:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 09:49 PM 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of D:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of D:\PROGRA~1\COMMON~1\LOGITECH\QCDRIV~2\BAK

12/10/2002 05:54 PM 127,022 LVCOMS.EXE
1 File(s) 127,022 bytes

Directory of D:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

0 File(s) 0 bytes

Directory of D:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes

Directory of D:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

11/08/2005 09:35 AM 36,864 LogitechDesktopMessenger.exe
1 File(s) 36,864 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\bak\qttask.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\khooker.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\bak\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\bak\khooker.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\bak\NeroCheck.exe"
545936 Jun 15 2006 "C:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\taskswitch.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\bak\taskswitch.exe"
545936 Jun 15 2006 "D:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\taskswitch.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\bak\taskswitch.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
127022 Dec 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
127022 Dec 10 2002 "D:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "D:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
473928 Nov 15 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
473928 Nov 15 2005 "D:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\qttask.exe"
77824 May 14 2003 "D:\Program Files\QuickTime\bak\qttask.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\khooker.exe"
290816 Jan 25 2002 "C:\WINDOWS\system32\bak\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\khooker.exe"
290816 Jan 25 2002 "D:\WINDOWS\system32\bak\khooker.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "D:\WINDOWS\system32\bak\NeroCheck.exe"
545936 Jun 15 2006 "C:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\taskswitch.exe"
45632 Mar 19 2002 "C:\WINDOWS\system32\bak\taskswitch.exe"
545936 Jun 15 2006 "D:\Programs\TaskswitchPowertoySetup.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\taskswitch.exe"
45632 Mar 19 2002 "D:\WINDOWS\system32\bak\taskswitch.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\avgcc.exe"
416256 Aug 16 2007 "D:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\ISStart.exe"
155648 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\ISStart.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "C:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\LogiTray.exe"
61440 Dec 10 2002 "D:\Program Files\Logitech\ImageStudio\bak\LogiTray.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "D:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "D:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
127022 Dec 10 2002 "C:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "C:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "C:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
127022 Dec 10 2002 "D:\WINDOWS\system32\LVComS.exe"
102400 Jun 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver\LVComS.exe"
90112 Sep 20 2002 "D:\Program Files\Common Files\Logitech\QCDriver2\LVComS.exe"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE"
127022 Dec 10 2002 "D:\Program Files\Common Files\Logitech\QCDriver3\bak\LVCOMS.EXE"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"
36864 Nov 8 2005 "D:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"


end of report

#13 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 19 February 2009 - 04:29 PM

Hi I'll post back in a couple hours on this as It needs undivided attention that I can't give it yet.. But we will get this.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#14 NotACylon

NotACylon
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 19 February 2009 - 05:11 PM

FYI: Ran into a problem with my AVG antivirus. Turns out, Find AWF took avgcc.exe from a bak folder and replaced the one AVG uses. The one AVG uses was a more recent one and I had it on my backup external drive. So I put it back and now AVG is happy.

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:21 AM

Posted 19 February 2009 - 09:59 PM

Hello it apppears the malware is going to interfere and we should run another tool. They are usedf in the HJT forum. So we need to run HJT.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and

post that complete log.

Let me know it it went OK !
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users