Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Outinfo Infection Hijack Log Attached


  • This topic is locked This topic is locked
9 replies to this topic

#1 ecm3131

ecm3131

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 January 2007 - 11:28 AM

I've run all the steps - Ad Aware, SpyBoit, then Panda Active Scan, Mcafee Rootkit...

I've shut down and re-run on startup, I've run out of things to do. Somehow this OuterInfo program keeps re-installing, and I don't know what file to eliminate to keep that from happening.

BTW, the OuterInfo Website seems quite proud of themselves ... that they provide the advertiser with "topic-sensitive redirects" ... there outa be a law. And their uninstaller does not work.

Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:26:42 AM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\COMMON~1\SMBOLS~1\scanregw.exe
C:\Program Files\?icrosoft.NET\r?ndll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\tmatthew\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {648C485C-83B3-DD63-C52B-FDCD5A18D6C5} - C:\WINDOWS\system32\lfef.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {648C485C-83B3-DD63-C52B-FDCD5A18D6C5} - C:\WINDOWS\system32\lfef.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\SMBOLS~1\scanregw.exe" -vt ndrv
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Tdchzyvh] C:\Program Files\?icrosoft.NET\r?ndll32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: 172.20.1.10
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG1hdHRoZXc\command.exe (file missing)
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 09 January 2007 - 11:38 AM

Hello,

You are also dealing with a nasty infection that replaces legit files and moves them and places a bad one instead :thumbsup:

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls

It is important you don't miss a step and perform everything in the right order!!

Go to start > controlpanel > software > add/remove programs and uninstall next if present:

ipwins
Oin
Yazzle by Oin
YazzleActiveX By OIN
Purityscan by Oin
MediaTickets by OIN
Snowballwars by Oin
Cowabanga by OIN
or anything similar with Oin in it.


Reboot when done! Really important!

--------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):

R3 - URLSearchHook: (no name) - {648C485C-83B3-DD63-C52B-FDCD5A18D6C5} - C:\WINDOWS\system32\lfef.dll
O2 - BHO: (no name) - {648C485C-83B3-DD63-C52B-FDCD5A18D6C5} - C:\WINDOWS\system32\lfef.dll
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\system32\lsasss.exe
O4 - HKCU\..\Run: [Tair] "C:\PROGRA~1\COMMON~1\SMBOLS~1\scanregw.exe" -vt ndrv
O4 - HKCU\..\Run: [Tdchzyvh] C:\Program Files\?icrosoft.NET\r?ndll32.exe
O15 - Trusted IP range: 172.20.1.10
<== check this entry if you didn't set it
O20 - AppInit_DLLs:
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dG1hdHRoZXc\command.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!
Don't worry if some entries won't go away, we'll deal with that later...

---------------------

Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Then click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware and reboot!!
    I need the log later.
-------------------------

Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe

It will create a txtfile afterwards.. I need that one later.

--------------------------------

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post next logs in your following reply:
  • Log from combofix (combofix.txt)
  • Log from AVG Antispyware
  • New HijackThislog
  • Log from FindAWF
You may need several replies to post the logs in case they won't fit in one reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 ecm3131

ecm3131
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 January 2007 - 02:05 PM

Thanks for the help so far. You folks are way too smart (rhymes with "scary smart" & "freak-me-out-genius")

So here's where I am:

I had already moved HJT to a separate folder, and I'll install the firewall as soon as this gets done.
I noticed the Cowabanga file yesterday and I took it out at that time.

There was a OuterInfo file which I deleted with add/delete files. I did everything else to the letter. As you predicted, not all the files existed in the HJT log, but I checked the ones that did. Also, the trusted IP address was entered by me and not deleted.

Here are the four logs (I added the date and time to some of the file names for my reference):


--------------------------------------------------------------------------
>>>>>>>>>>>>> ComboFix report <<<<<<<<<<<<<
---------------------------------------------------------------------------

tmatthew - 07-01-09 13:34:32.65 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\tmatthew\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{14421080-0D3F-1033-1013-050311200001}
C:\Program Files\Common Files\{34421080-0D3F-1033-1013-050311200001}
C:\WINDOWS\dG1hdHRoZXc

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\tmatthew\My Documents\SKS~1
C:\QooBox\Purity\Documents and Settings\tmatthew\My Documents\SKS~1\?hkdsk.exe
C:\QooBox\Purity\Program Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\DOBE~1
C:\QooBox\Purity\Program Files\Common Files\SMBOLS~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-09 to 2007-01-09 ))))))))))))))))))))))))))))))))))


2007-01-09 12:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-01-09 12:58 <DIR> d-------- C:\Program Files\Grisoft
2007-01-09 11:32 <DIR> d-------- C:\Program Files\Hijackthis
2007-01-09 10:11 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-09 10:02 5,037,072 --a------ C:\Program Files\spybotsd14.exe
2007-01-09 10:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-09 10:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-01-08 18:12 297 --a------ C:\tskmgr.exe
2007-01-08 18:12 297 --a------ C:\sstray.exe
2007-01-08 17:53 <DIR> d-------- C:\WINDOWS\system32\bak
2007-01-08 15:12 7,706,216 --a------ C:\winzip110.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-09 13:34 -------- d-------- C:\Program Files\Common Files
2007-01-09 10:34 -------- d-------- C:\Program Files\Builder System
2007-01-09 10:22 -------- d-------- C:\Program Files\WinZip
2007-01-09 10:21 -------- d-------- C:\Program Files\Internet Explorer
2007-01-09 10:21 -------- d-------- C:\Program Files\GoogleAFE
2007-01-09 10:21 -------- d-------- C:\Program Files\Google
2007-01-09 10:20 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2007-01-09 10:08 1400487 --a------ C:\Program Files\McafeeRootkitDetective.zip
2007-01-09 07:50 -------- d-------- C:\Documents and Settings\tmatthew\Application Data\AdobeUM
2007-01-08 17:53 -------- d-------- C:\Program Files\QuickTime
2007-01-08 17:53 -------- d-------- C:\Program Files\Messenger
2007-01-08 15:35 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-22 09:22 -------- d-------- C:\Documents and Settings\tmatthew\Application Data\Help
2006-11-09 02:02 -------- d-------- C:\Program Files\Common Files\oirf
2006-11-08 16:06 2855080 --a------ C:\Program Files\aawsepersonal.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\Core\\smax4pnp.exe"
@=""
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,40,01,00,00,00,00,00,00,00,05,00,00,8e,04,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 07-01-09 13:35:18.70
C:\ComboFix.txt ... 07-01-09 13:35

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:22:46 PM 1/9/2007

+ Scan result:

C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0007089.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007159.exe -> Adware.Maxifiles : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0006433.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0006730.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lfef.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\Analog Devices\Core\smax4pnp.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\Messenger\msmsgs.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0007139.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007160.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dla\tfswctrl.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\hkcmd.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\igfxpers.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\igfxtray.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lsasss.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
[1540] C:\WINDOWS\system32\hkcmd.exe -> Downloader.Agent.awf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP118\A0007113.exe -> Downloader.Agent.baf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007156.exe -> Downloader.Agent.baf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007157.exe -> Downloader.Agent.baf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007158.exe -> Downloader.Agent.baf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007201.exe -> Downloader.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP114\A0006421.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0006706.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0006892.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP68\A0005765.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP69\A0005839.exe -> Downloader.PurityScan.co : Cleaned with backup (quarantined).
C:\Documents and Settings\tmatthew\Local Settings\Temp\uninst.exe -> Downloader.PurityScan.cr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007161.dll -> Downloader.Small.ece : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007162.exe -> Dropper.DollarR.b : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007203.exe -> Dropper.Small : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@247realmedia[1].txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.42:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.47:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.6:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.11:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.12:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@news.com[2].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.17:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.23:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
:mozilla.24:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@ehg-netquote.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@sec1.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.46:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@data3.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@overture[1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.13:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.14:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.15:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.16:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\l0zp95vi.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.75:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.76:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@anat.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.90:C:\Documents and Settings\tmatthew\Application Data\Mozilla\Firefox\Profiles\p4bu4tqd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\tmatthew\Cookies\tmatthew@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP115\A0006427.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0006725.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0007163.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP70\A0005904.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\dG1hdHRoZXc\x3Y1xJlCtrw.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wnscpsv.exe -> Trojan.Small : Cleaned with backup (quarantined).


::Report end


--------------------------------------------------------------------------
>>>>>>>>>>>>> HJT log file <<<<<<<<<<<<<
---------------------------------------------------------------------------


Logfile of HijackThis v1.99.1
Scan saved at 1:53:47 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted IP range: 172.20.1.10
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE


--------------------------------------------------------------------------
>>>>>>>>>>>>> AWF report <<<<<<<<<<<<<
---------------------------------------------------------------------------

Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\MESSEN~1\BAK

10/13/2004 11:24 AM 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

08/24/2006 03:38 PM 77,824 qttask.exe
1 File(s) 77,824 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

09/20/2005 04:32 PM 77,824 hkcmd.exe
09/20/2005 04:36 PM 114,688 igfxpers.exe
09/20/2005 04:35 PM 94,208 igfxtray.exe
3 File(s) 286,720 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 08:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

02/23/2005 05:19 PM 53,248 DVDLauncher.exe
1 File(s) 53,248 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

10/16/2006 05:06 PM 190,464 GoogleDesktop.exe
1 File(s) 190,464 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

12/06/2004 02:05 AM 127,035 tfswctrl.exe
1 File(s) 127,035 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 05:50 PM 81,920 issch.exe
07/27/2004 05:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 12:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of R:\IMAGES\NEWNAV\NEWBAK

06/08/1998 06:28 PM 1,799 about_c.gif
06/08/1998 06:28 PM 1,647 help_c.gif
06/08/1998 06:28 PM 1,569 home_c.gif
06/08/1998 06:28 PM 2,690 lft_logo.gif
06/08/1998 06:28 PM 4,868 main_line.gif
06/08/1998 06:28 PM 1,463 map_c.gif
06/08/1998 06:28 PM 1,910 product_info_c.gif
06/08/1998 06:28 PM 1,787 resources_c.gif
8 File(s) 17,733 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
77824 Aug 24 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
77824 Sep 20 2005 "C:\DRIVERS\video\onboard\hkcmd.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Sep 20 2005 "C:\DRIVERS\video\onboard\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Sep 20 2005 "C:\DRIVERS\video\onboard\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\ONBOARD\SMAX4PNP.EXE"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
53248 Feb 23 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
2132280 Oct 16 2006 "C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe"
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe"
190464 Oct 16 2006 "C:\Program Files\Google\Google Desktop Search\bak\GoogleDesktop.exe"
163576 Oct 18 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
127035 Dec 6 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


end of report

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 09 January 2007 - 02:56 PM

Hi,

Let me explain one of the infections you are dealing with. It created a backup of the original file in a BAK folder, present in the same folder as where the infected file is present.
So the files present in the BAK-folders are the GOOD ones!

So what we should do here is to delete the infected file (in case still present) and replace it with the legit/good file from the BAK folder again.
However, I see AVG Antispyware already deleted them, so we don't have to manually delete them. But you never know that some may be present... That's why I want you to perform next instructions in Safe mode, just to make sure that files won't be in use.

It's better to save next instructions in notepad, because this page won't be available from safe mode.
I'll explain step by step how to replace the files again.

Please read next instructions FIRST before proceeding with the steps, and if there's something you don't understand or is unclear, ask first before proceeding with the steps.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

---------------------------

°°First, delete next files and folders (those are the ones that don't need to get replaced) and are bad anyway:

C:\tskmgr.exe
C:\sstray.exe
C:\Program Files\Common Files\oirf <== folder

----------------------------

°°Now let's replace the ones from the BAK folders back into their original folder..

- Go to next folder: C:\Program Files\Messenger\BAK
You'll find msmsgs.exe in there. Cut and paste the msmsgs.exe file back to the original C:\Program Files\Messenger-folder
The C:\Program Files\Messenger\BAK should be empty now and the msmsgs.exe file should be back in the C:\Program Files\Messenger-folder, doublecheck this.
Then delete the BAK folder there.

- Go to next folder: C:\Program Files\QuickTime\BAK
You'll find qttask.exe in there. Cut and paste the qttask.exe file back to the original C:\Program Files\QuickTime-folder
The C:\Program Files\QuickTime\BAK should be empty now and the qttask.exe file should be back in the C:\Program Files\QuickTime-folder, doublecheck this.
Then delete the BAK folder there.

- Go to next folder: C:\Program Files\Analog Devices\Core\BAK
You'll find smax4pnp.exe in there. Cut and paste the smax4pnp.exe file back to the original C:\Program Files\Analog Devices\Core-folder.
Doublecheck again if you replaced them correctly and the BAK folder is empty. Then delete the BAK folder there again.

- Go to next folder: C:\Program Files\CyberLink\PowerDVD\BAK
You'll find DVDLauncher.exe in there. Cut and paste the DVDLauncher.exe file back to the original C:\Program Files\CyberLink\PowerDVD-folder
Delete the BAK folder there after doublechecking if replaced correctly.

- Go to next folder: C:\Program Files\Google\Google Desktop Search\BAK
You'll find GoogleDesktop.exe in there. Cut and paste the GoogleDesktop.exe file back to the original C:\Program Files\Google\Google Desktop Search-folder.
Delete the BAK folder there after doublechecking if replaced correctly.

- Go to next folder: C:\WINDOWS\system32\dla\BAK
You'll find tfswctrl.exe in there. Cut and paste the tfswctrl.exe file back to the original C:\WINDOWS\system32\dla-folder.
Delete the BAK folder there after doublechecking if replaced correctly.

- Go to next folder: C:\Program Files\Common Files\InstallShield\UpdateService\BAK
You'll find issch.exe and ISUSPM.exe in there. Cut and paste the issch.exe and ISUSPM.exe file back to the original C:\Program Files\Common Files\InstallShield\UpdateService-folder.
Delete the BAK folder there after doublechecking if replaced correctly.

- Go to next folder: C:\Program Files\Java\jre1.5.0_06\bin\BAK
You'll find jusched.exe in there. Cut and paste the jusched.exe file back to the original C:\Program Files\Java\jre1.5.0_06\bin-folder.
Delete the BAK folder there after doublechecking if replaced correctly.

- Go to next folder: C:\WINDOWS\system32\BAK
You'll find hkcmd.exe, igfxpers.exe and igfxtray.exe in there. Cut and paste the hkcmd.exe, igfxpers.exe and igfxtray.exe file back to the original C:\WINDOWS\system32-folder
Delete the BAK folder there after doublechecking if replaced correctly.

Note: It *could be possible, when you replace a file back into the original folder, that the file is already present in the original folder, but that *may be the bad one. So just let it overwrite it with the good file from the BAK folder.

Then, * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click "Delete".
  • Click "Delete Files", "Delete cookies" and "Delete history"
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Reboot back to normal mode

* download http://www.mvps.org/winhelp2002/DelDomains.inf and place it on desktop
right click the file and select install, that will reset the zone settings that have been altered

and also

* Download: ResetProtocolDefaults.reg
http://www.mvps.org/winhelp2002/ResetProtocolDefaults.reg

Locate "ResetProtocolDefaults.reg"
Right-click and select: Merge (Ok the prompt)

Rescan with FindAWF and post the log in your next reply together with a new Hijackthislog.

Edited by miekiemoes, 09 January 2007 - 02:59 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 ecm3131

ecm3131
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 January 2007 - 05:26 PM

OK. Got all that done, and now here are the two log files:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~



25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of R:\IMAGES\NEWNAV\NEWBAK

06/08/1998 06:28 PM 1,799 about_c.gif
06/08/1998 06:28 PM 1,647 help_c.gif
06/08/1998 06:28 PM 1,569 home_c.gif
06/08/1998 06:28 PM 2,690 lft_logo.gif
06/08/1998 06:28 PM 4,868 main_line.gif
06/08/1998 06:28 PM 1,463 map_c.gif
06/08/1998 06:28 PM 1,910 product_info_c.gif
06/08/1998 06:28 PM 1,787 resources_c.gif
8 File(s) 17,733 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~


end of report



Logfile of HijackThis v1.99.1
Scan saved at 5:18:17 PM, on 1/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: GoogleAFE - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Autodesk Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 09 January 2007 - 05:42 PM

Great! And I see the restored files up and running again. :thumbsup:

One small note..

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Thank you for the donation btw, much appreciated.
Your Hijackthislog looks clean again. Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 09 January 2007 - 05:43 PM

Extra addition..

I notice that you do not seem to be running Antivirus software and a Firewall. This is somewhat suicidal in today's digital world.
That's why I want you to install them first!!

Avira, AVG OR Avast OR Active Virus Shield (uncheck the Security Toolbar during install) are good FREE antivirus.
Never install more than one antivirusscanner or firewall on your system! Several together can give problems and decrease the reliability of it seriously!
Agnitum Outpost Free, ZoneAlarm Free OR Kerio are FREE firewalls.

Understanding and using firewalls
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 ecm3131

ecm3131
  • Topic Starter

  • Members
  • 29 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 09 January 2007 - 06:57 PM

Man, you're great. Thanks a heap.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 09 January 2007 - 07:17 PM

Man, you're great

Still female though and I guess I won't change :thumbsup:

Glad I could help. :flowers:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:33 PM

Posted 19 January 2007 - 06:52 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users