todechineys02 Posted February 9, 2008 Report Share Posted February 9, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:25:34 PM, on 2/9/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16574)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\bak\qttask.exeC:\Program Files\Windows Defender\MSASCui.exeC:\WINDOWS\BCMSMMSG.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\WINDOWS\system32\drwtsn32.exeC:\WINDOWS\system32\drwtsn32.exeC:\WINDOWS\system32\drwtsn32.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exeO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - (no file)O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dllO2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO2 - BHO: (no name) - {dd9873b6-1dd1-11b2-bf43-c53634b94b8a} - (no file)O2 - BHO: (no name) - {F503740D-389F-45CE-A9DA-2A23FF12B31E} - (no file)O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTOO4 - HKCU\..\Run: [spyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: *.melaleuca.comO15 - Trusted Zone: http://www.wellsfargo.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103003783640O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.5.0.4.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cabO16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37O17 - HKLM\System\CCS\Services\Tcpip\..\{F3C640BD-7822-430B-A97D-32309D1B10D4}: NameServer = 205.171.3.65,205.171.2.65O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dllO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O21 - SSODL: Adobe Acrobat 5.0 - {74ED521F-7B75-7458-EFE8-A5F313C962AE} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exeO24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\profsy.html--End of file - 10427 bytes Link to post Share on other sites
rmurphy Posted February 14, 2008 Report Share Posted February 14, 2008 Welcome to BestTechie. I'm Ryan, and I'll be helping you clean your computer.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**-Ryan Link to post Share on other sites
todechineys02 Posted February 15, 2008 Author Report Share Posted February 15, 2008 Logfile of Trend Micro HijackThis v2.0.2Scan saved at 7:20:35 PM, on 2/14/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\QuickTime\bak\qttask.exeC:\WINDOWS\system32\NeroCheck.exeC:\WINDOWS\BCMSMMSG.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG12.exeC:\WINDOWS\explorer.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\internet explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTOO4 - HKCU\..\Run: [spyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: *.melaleuca.comO15 - Trusted Zone: http://www.wellsfargo.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103003783640O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.5.0.4.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cabO16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37O17 - HKLM\System\CCS\Services\Tcpip\..\{F3C640BD-7822-430B-A97D-32309D1B10D4}: NameServer = 205.171.3.65,205.171.2.65O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dllO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O21 - SSODL: Adobe Acrobat 5.0 - {74ED521F-7B75-7458-EFE8-A5F313C962AE} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe--End of file - 9899 bytesComboFix 08-02-15.1 - Owner 2008-02-14 18:47:08.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.88 [GMT -7:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\drivers\core.cache.dskC:\WINDOWS\system32\drivers\core.sysC:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed MonitorC:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Check Now.lnkC:\Documents and Settings\Owner\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnkC:\Documents and Settings\Owner\Start Menu\Programs\OuterinfoC:\Program Files\Common Files\appatc~1C:\Program Files\Common Files\appatc~1\A?pPatch\C:\Program Files\Common Files\profsy.htmlC:\Program Files\fnts~1C:\Program Files\InsiderC:\Program Files\TemporaryC:\Program Files\WinBudgetC:\Program Files\WinBudget\bin\crap.1201581084.oldC:\Program Files\WinBudget\bin\matrix.datC:\Program Files\WinBudget\bin\matrix.dllC:\Temp\1cbC:\Temp\1cb\syscheck.logC:\Temp\bkR11C:\Temp\bkR11\ftCa.logC:\temp\tn3C:\WINDOWS\system32\din.ipC:\WINDOWS\system32\drivers\blank.gifC:\WINDOWS\system32\drivers\box_2.gifC:\WINDOWS\system32\drivers\button_buynow.gifC:\WINDOWS\system32\drivers\button_freescan.gifC:\WINDOWS\system32\drivers\cell_bg.gifC:\WINDOWS\system32\drivers\cell_footer.gifC:\WINDOWS\system32\drivers\cell_header_block.gifC:\WINDOWS\system32\drivers\cell_header_remove.gifC:\WINDOWS\system32\drivers\cell_header_scan.gifC:\WINDOWS\system32\drivers\core.cache.dskC:\WINDOWS\system32\drivers\core.sysC:\WINDOWS\system32\drivers\detect.htmC:\WINDOWS\system32\drivers\download_btn.jpgC:\WINDOWS\system32\drivers\download_now_btn.gifC:\WINDOWS\system32\drivers\footer_back.jpgC:\WINDOWS\system32\drivers\header_1.gifC:\WINDOWS\system32\drivers\header_2.gifC:\WINDOWS\system32\drivers\header_3.gifC:\WINDOWS\system32\drivers\header_4.gifC:\WINDOWS\system32\drivers\header_red_bg.gifC:\WINDOWS\system32\drivers\header_red_free_scan.gifC:\WINDOWS\system32\drivers\header_red_free_scan_bg.gifC:\WINDOWS\system32\drivers\header_red_protect_your_pc.gifC:\WINDOWS\system32\drivers\infected.gifC:\WINDOWS\system32\drivers\main_back.gifC:\WINDOWS\system32\drivers\npf.sysC:\WINDOWS\system32\drivers\product_2_header.gifC:\WINDOWS\system32\drivers\product_2_name_small.gifC:\WINDOWS\system32\drivers\product_features.gifC:\WINDOWS\system32\drivers\pt.htmC:\WINDOWS\system32\drivers\rating.gifC:\WINDOWS\system32\drivers\s_detect.htmC:\WINDOWS\system32\drivers\screenshot.jpgC:\WINDOWS\system32\drivers\sep_hor.gifC:\WINDOWS\system32\drivers\sep_vert.gifC:\WINDOWS\system32\drivers\shadow.jpgC:\WINDOWS\system32\drivers\shadow_bg.gifC:\WINDOWS\system32\drivers\spacer.gifC:\WINDOWS\system32\drivers\star.gifC:\WINDOWS\system32\drivers\star_gray.gifC:\WINDOWS\system32\drivers\star_gray_small.gifC:\WINDOWS\system32\drivers\star_small.gifC:\WINDOWS\system32\drivers\style.cssC:\WINDOWS\system32\drivers\v.gifC:\WINDOWS\system32\drivers\warning_icon.gifC:\WINDOWS\system32\drivers\win_logo.gifC:\WINDOWS\system32\drivers\x.gifC:\WINDOWS\system32\pac.txtC:\WINDOWS\system32\Packet.dllC:\WINDOWS\system32\pthreadVC.dllC:\WINDOWS\system32\rev1C:\WINDOWS\system32\v2C:\WINDOWS\system32\WanPacket.dllC:\WINDOWS\system32\wpcap.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\LEGACY_CORE-------\LEGACY_NETWORK_MONITOR-------\core((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 ))))))))))))))))))))))))))))))).2008-02-14 03:01 . 2008-02-14 03:02 1,374 --a------ C:\WINDOWS\imsins.BAK2008-02-09 12:18 . 2008-02-09 12:18 <DIR> d-------- C:\Program Files\Trend Micro2008-02-07 19:55 . 2008-02-07 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion2008-02-07 19:35 . 2008-02-07 19:35 <DIR> d-------- C:\Program Files\IObit2008-02-07 19:27 . 2008-02-07 19:27 <DIR> d-------- C:\Program Files\Lavasoft2008-02-07 19:26 . 2008-02-07 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft2008-02-07 19:24 . 2008-02-07 19:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard2008-02-07 18:33 . 2008-02-07 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg72008-01-28 21:47 . 2008-01-28 21:47 14 --a------ C:\WINDOWS\00F4-077B-D103-DBBD.dat2008-01-28 18:57 . 2008-01-28 18:57 <DIR> d-------- C:\WINDOWS\system32\bak.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-02-15 01:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2008-02-08 02:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\Yahoo!2008-02-08 02:35 --------- d-----w C:\Program Files\Yahoo!2008-02-08 01:23 --------- d--h--w C:\Program Files\InstallShield Installation Information2008-02-08 01:23 --------- d-----w C:\Program Files\Common Files\NewSoft2008-02-08 00:44 --------- d-----w C:\Program Files\DivX2008-02-07 23:20 --------- d-----w C:\Program Files\AdwareAlert2008-01-29 02:04 --------- d-----w C:\Program Files\Windows Defender2008-01-29 02:04 --------- d-----w C:\Program Files\QuickTime2008-01-29 02:04 --------- d-----w C:\Program Files\CCleaner2008-01-29 00:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdwareAlert2008-01-12 23:13 2,124 ---ha-w C:\Documents and Settings\All Users\Application Data\index0.dat2008-01-12 06:08 --------- d-----w C:\Program Files\AIM2007-12-25 06:36 --------- d-----w C:\Program Files\Common Files\Adobe2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys2007-09-01 05:06 64,960 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT.((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))).----a-w 39,792 2007-10-11 02:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe----a-w 6,366,448 2007-12-28 22:01:24 C:\Program Files\AdwareAlert\bak\AdwareAlert.exe----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\ashDisp.exe----a-w 590,728 2006-12-15 12:13:22 C:\Program Files\CCleaner\bak\ccleaner.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\CCleaner\ccleaner.exe----a-w 579,072 2008-01-12 04:09:24 C:\Program Files\Grisoft\AVG7\bak\avgcc.exe----a-w 49,152 2004-09-13 21:49:00 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe----a-w 32,881 2004-09-29 03:26:04 C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe----a-w 282,624 2007-02-08 03:32:25 C:\Program Files\QuickTime\bak\qttask.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\QuickTime\qttask.exe----a-w 866,584 2006-11-04 02:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe----a-w 14,348 2008-01-29 02:02:36 C:\Program Files\Windows Defender\MSASCui.exe----a-w 126,976 2005-10-19 14:59:12 C:\WINDOWS\system32\bak\hkcmd.exe----a-w 14,348 2008-01-29 02:02:36 C:\WINDOWS\system32\hkcmd.exe----a-w 155,648 2005-10-19 14:59:14 C:\WINDOWS\system32\bak\igfxtray.exe----a-w 14,348 2008-01-29 02:02:36 C:\WINDOWS\system32\igfxtray.exe----a-w 155,648 2001-07-09 19:50:42 C:\WINDOWS\system32\bak\NeroCheck.exe----a-w 14,348 2008-01-29 02:02:36 C:\WINDOWS\system32\NeroCheck.exe----a-w 176,128 2004-12-14 16:07:44 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe----a-w 14,348 2008-01-29 02:02:36 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ccleaner"="C:\Program Files\CCleaner\ccleaner.exe" [2008-01-28 19:02 14348]"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-02-07 20:32 282624]"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2008-01-28 19:02 14348]"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-28 19:02 14348]"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2008-01-28 19:02 14348]"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-28 19:02 14348]"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-28 19:02 14348]"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 04:59 122880 C:\WINDOWS\BCMSMMSG.exe]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-28 19:02 14348]"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 06:00 79224][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-08-13 17:04 5562368]"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]"NoResolveSearch"= 1 (0x1)R0 Achernar;Achernar - SCSI Command Filters;C:\WINDOWS\system32\Drivers\Achernar.sys [2004-02-11 14:34].Contents of the 'Scheduled Tasks' folder"2008-02-14 10:00:00 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"- C:\Program Files\AdwareAlert\AdwareAlert.ex- C:\Program Files\AdwareAlert"2008-02-15 02:12:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"- C:\Program Files\Windows Defender\MpCmdRun.exe"2008-02-15 01:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe.**************************************************************************catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-02-14 19:10:01Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.------------------------ Other Running Processes ------------------------.C:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZENG12.exe.**************************************************************************.Completion time: 2008-02-14 19:16:14 - machine was rebootedComboFix-quarantined-files.txt 2008-02-15 02:16:09.2008-02-15 01:20:51 --- E O F --- Link to post Share on other sites
rmurphy Posted February 15, 2008 Report Share Posted February 15, 2008 == Install Recovery Console ==Go to Microsoft's website => http://support.microsoft.com/kb/310994Select the download that's appropriate for your Operating System. Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.Please do not reboot your machine until we have reviewed the log.== FindAWF ==You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.Download FindAWF.exe from here or here, and save it to your desktop.Double-click on the FindAWF.exe file to run it.It will open a command prompt and ask you to "Press any key to continue".You will be presented with a Menu.1. Press 1 then Enter to scan for bak folders2. Press 2 then Enter to restore files from bak folders3. Press 3 then Enter to remove bak folders4. Press 4 then Enter to reset domain zones5. Press E then Enter to EXITPress 1, then press EnterIt may take a few minutes to complete so be patient.When it is complete, it will open a text file in notepad called AWF.txt.Please copy and paste the contents of the AWF.txt file in your next reply.-Ryan Link to post Share on other sites
todechineys02 Posted February 16, 2008 Author Report Share Posted February 16, 2008 WinXP_EN_HOM_BF.EXE[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptInC:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons Find AWF report by noahdfear ©2006 Version 1.40The current date is: Sat 02/16/2008 The current time is: 9:44:36.50 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ADWARE~1\BAK12/28/2007 03:01 PM 6,366,448 AdwareAlert.exe 1 File(s) 6,366,448 bytes Directory of C:\PROGRA~1\CCLEANER\BAK12/15/2006 05:13 AM 590,728 ccleaner.exe 1 File(s) 590,728 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK02/07/2007 08:32 PM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK11/03/2006 07:20 PM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\WINDOWS\SYSTEM32\BAK10/19/2005 07:59 AM 126,976 hkcmd.exe10/19/2005 07:59 AM 155,648 igfxtray.exe07/09/2001 12:50 PM 155,648 NeroCheck.exe 3 File(s) 438,272 bytes Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK12/04/2007 06:00 AM 79,224 ashDisp.exe 1 File(s) 79,224 bytes Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK01/11/2008 09:09 PM 579,072 avgcc.exe 1 File(s) 579,072 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK09/13/2004 02:49 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK10/10/2007 07:51 PM 39,792 Reader_sl.exe 1 File(s) 39,792 bytes Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK09/28/2004 08:26 PM 32,881 jusched.exe 1 File(s) 32,881 bytes Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK12/14/2004 09:07 AM 176,128 hpztsb12.exe 1 File(s) 176,128 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 6366448 Dec 28 2007 "C:\Program Files\AdwareAlert\bak\AdwareAlert.exe" 14348 Jan 28 2008 "C:\Program Files\CCleaner\ccleaner.exe" 590728 Dec 15 2006 "C:\Program Files\CCleaner\bak\ccleaner.exe" 14348 Jan 28 2008 "C:\Program Files\QuickTime\qttask.exe" 282624 Feb 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 14348 Jan 28 2008 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 14348 Jan 28 2008 "C:\WINDOWS\system32\hkcmd.exe" 114688 Apr 6 2003 "C:\Katie Todechiney\DRIVERS\VIDEO\HKCMD.EXE" 126976 Oct 19 2005 "C:\WINDOWS\system32\bak\hkcmd.exe" 114688 Apr 7 2003 "C:\DELL\drivers\R60084\Graphics\Win2000\hkcmd.exe" 118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups010\DriverFiles\hkcmd.exe" 14348 Jan 28 2008 "C:\WINDOWS\system32\igfxtray.exe" 155648 Apr 6 2003 "C:\Katie Todechiney\DRIVERS\VIDEO\IGFXTRAY.EXE" 155648 Oct 19 2005 "C:\WINDOWS\system32\bak\igfxtray.exe" 155648 Apr 7 2003 "C:\DELL\drivers\R60084\Graphics\Win2000\igfxtray.exe" 155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups010\DriverFiles\igfxtray.exe" 14348 Jan 28 2008 "C:\WINDOWS\system32\NeroCheck.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" 579072 Jan 11 2008 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" 14348 Jan 28 2008 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" 49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 14348 Jan 28 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" 14348 Jan 28 2008 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" 132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe" 14348 Jan 28 2008 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" 176128 Dec 14 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe" end of report Link to post Share on other sites
rmurphy Posted February 16, 2008 Report Share Posted February 16, 2008 Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):"C:\Program Files\AdwareAlert\bak\AdwareAlert.exe""C:\Program Files\CCleaner\bak\ccleaner.exe""C:\Program Files\QuickTime\bak\qttask.exe""C:\Program Files\Windows Defender\bak\MSASCui.exe""C:\WINDOWS\system32\bak\hkcmd.exe""C:\WINDOWS\system32\bak\igfxtray.exe""C:\WINDOWS\system32\bak\NeroCheck.exe""C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe""C:\Program Files\Grisoft\AVG7\bak\avgcc.exe""C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe""C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe""C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe"Double-click on the FindAWF.exe file to run it.It will open a command prompt and ask you to "Press any key to continue".You will be presented with a Menu.1. Press 1 then Enter to scan for bak folders2. Press 2 then Enter to restore files from bak folders3. Press 3 then Enter to remove bak folders4. Press 4 then Enter to reset domain zones5. Press E then Enter to EXITPress 2, then press Enter.Press any key to continue.A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.The program will proceed to move the legit files and will perform another scan for .bak folderIt may take a few minutes to complete so be patient.When it is complete, it will open a text file in notepad called AWF.txt.Please copy and paste the contents of the AWF.txt file along with an Uninstall List in your next reply.To obtain an Uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
todechineys02 Posted February 16, 2008 Author Report Share Posted February 16, 2008 Directory of C:\WINDOWS\SYSTEM32\BAK10/19/2005 07:59 AM 126,976 hkcmd.exe10/19/2005 07:59 AM 155,648 igfxtray.exe07/09/2001 12:50 PM 155,648 NeroCheck.exe 3 File(s) 438,272 bytes Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK12/04/2007 06:00 AM 79,224 ashDisp.exe 1 File(s) 79,224 bytes Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK01/11/2008 09:09 PM 579,072 avgcc.exe 1 File(s) 579,072 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK09/13/2004 02:49 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK10/10/2007 07:51 PM 39,792 Reader_sl.exe 1 File(s) 39,792 bytes Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK09/28/2004 08:26 PM 32,881 jusched.exe 1 File(s) 32,881 bytes Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK12/14/2004 09:07 AM 176,128 hpztsb12.exe 1 File(s) 176,128 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 6366448 Dec 28 2007 "C:\Program Files\AdwareAlert\AdwareAlert.exe" 6366448 Dec 28 2007 "C:\Program Files\AdwareAlert\bak\AdwareAlert.exe" 590728 Dec 15 2006 "C:\Program Files\CCleaner\ccleaner.exe" 590728 Dec 15 2006 "C:\Program Files\CCleaner\bak\ccleaner.exe" 282624 Feb 7 2007 "C:\Program Files\QuickTime\qttask.exe" 282624 Feb 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 126976 Oct 19 2005 "C:\WINDOWS\system32\hkcmd.exe" 114688 Apr 6 2003 "C:\Katie Todechiney\DRIVERS\VIDEO\HKCMD.EXE" 126976 Oct 19 2005 "C:\WINDOWS\system32\bak\hkcmd.exe" 114688 Apr 7 2003 "C:\DELL\drivers\R60084\Graphics\Win2000\hkcmd.exe" 118784 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups010\DriverFiles\hkcmd.exe" 155648 Oct 19 2005 "C:\WINDOWS\system32\igfxtray.exe" 155648 Apr 6 2003 "C:\Katie Todechiney\DRIVERS\VIDEO\IGFXTRAY.EXE" 155648 Oct 19 2005 "C:\WINDOWS\system32\bak\igfxtray.exe" 155648 Apr 7 2003 "C:\DELL\drivers\R60084\Graphics\Win2000\igfxtray.exe" 155648 Feb 10 2004 "C:\WINDOWS\system32\ReinstallBackups010\DriverFiles\igfxtray.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" 579072 Jan 11 2008 "C:\Program Files\Grisoft\AVG7\avgcc.exe" 579072 Jan 11 2008 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" 49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" 49152 Sep 13 2004 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" 14348 Jan 28 2008 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" 132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe" 176128 Dec 14 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" 176128 Dec 14 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb12.exe" end of reportAd-Aware 2007Adobe Acrobat 5.0Adobe Flash Player ActiveXAdobe Reader 8.1.1Adobe Shockwave PlayerAdvanced WindowsCare Personal 2.6.0Ahead Nero - Burning RomAOL Instant MessengerAOL Pictures Tools (version 10.5.0.4)avast! AntivirusBCM V.92 56K ModemBig Mutha TruckersBroadcom 440x 10/100 Integrated ControllerBUMCCleaner (remove only)Dell Picture Studio - Dell Image ExpertDell ResourceCDDVC305Google EarthGoogle Toolbar for Internet ExplorerGoogle Toolbar for Internet ExplorerHard Truck 18 Wheels of SteelHighMAT Extension to Microsoft Windows XP CD Writing WizardHijackThis 2.0.2Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB914440)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB926239)HP Extended Capabilities 4.7HP Image Zone 4.7HP PSC & OfficeJet 4.7HP Software UpdateIntel® Extreme Graphics DriverIntel® Integrated Performance Primitives RTI 4.0InterActual PlayerJava 2 Runtime Environment, SE v1.4.2_06Java 6 Update 2Java 6 Update 3Lemonade TycoonMelaleuca - Sun Valley Screen SaverMicrosoft .NET Framework 1.1Microsoft .NET Framework 1.1Microsoft .NET Framework 1.1 Hotfix (KB928366)Microsoft .NET Framework 2.0Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Internationalized Domain Names Mitigation APIsMicrosoft Money 2004Microsoft Money 2004 System PackMicrosoft National Language Support Downlevel APIsMicrosoft Office XP Professional with FrontPageMicrosoft User-Mode Driver Framework Feature Pack 1.0MSN ToolbarMSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 4.0 SP2 Parser and SDKMusicmatch for Windows Media PlayerPaint Shop Pro 7PC Wizard 2007.1.72PowerDVDPresto! VideoWorks 6 (VCD Version)QuickBooks Pro 2008Rahjongg The Curse of RaRhapsody Player EngineRollerCoaster Tycoon 2RollerCoaster Tycoon 2: Wacky WorldsScrapbook Factory Deluxe 3.0Secure Game PlayerSecurity Update for Microsoft .NET Framework 2.0 (KB928365)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB939653)Security Update for Windows Internet Explorer 7 (KB942615)Security Update for Windows Internet Explorer 7 (KB944533)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 10 (KB911565)Security Update for Windows Media Player 10 (KB917734)Security Update for Windows Media Player 10 (KB936782)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows XP (KB883939)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB896688)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899588)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB903235)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB905915)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB908531)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911567)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912812)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913446)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB916281)Security Update for Windows XP (KB917159)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918118)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920214)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB923694)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924191)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB924667)Security Update for Windows XP (KB925454)Security Update for Windows XP (KB925486)Security Update for Windows XP (KB925902)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB926436)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB927802)Security Update for Windows XP (KB928090)Security Update for Windows XP (KB928255)Security Update for Windows XP (KB928843)Security Update for Windows XP (KB929123)Security Update for Windows XP (KB929969)Security Update for Windows XP (KB930178)Security Update for Windows XP (KB931261)Security Update for Windows XP (KB931768)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB932168)Security Update for Windows XP (KB933566)Security Update for Windows XP (KB933729)Security Update for Windows XP (KB935839)Security Update for Windows XP (KB935840)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB937143)Security Update for Windows XP (KB938127)Security Update for Windows XP (KB938829)Security Update for Windows XP (KB939653)Security Update for Windows XP (KB941202)Security Update for Windows XP (KB941568)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB941644)Security Update for Windows XP (KB943055)Security Update for Windows XP (KB943460)Security Update for Windows XP (KB943485)Security Update for Windows XP (KB944653)Security Update for Windows XP (KB946026)SimCity 4 DeluxeSmart Start UPSoundMAXSpybot - Search & Destroy 1.4Streets of SimCitySupportSoft Assisted ServiceUpdate for Windows XP (KB894391)Update for Windows XP (KB896727)Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB910437)Update for Windows XP (KB911280)Update for Windows XP (KB916595)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB927891)Update for Windows XP (KB929338)Update for Windows XP (KB930916)Update for Windows XP (KB931836)Update for Windows XP (KB933360)Update for Windows XP (KB936357)Update for Windows XP (KB938828)Update for Windows XP (KB942763)USB MSWindows DefenderWindows Installer 3.1 (KB893803)Windows Installer 3.1 (KB893803)Windows Internet Explorer 7Windows Live MessengerWindows Live Sign-in AssistantWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows XP Hotfix - KB834707Windows XP Hotfix - KB867282Windows XP Hotfix - KB873333Windows XP Hotfix - KB873339Windows XP Hotfix - KB885250Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB885884Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB887742Windows XP Hotfix - KB888113Windows XP Hotfix - KB888302Windows XP Hotfix - KB890047Windows XP Hotfix - KB890175Windows XP Hotfix - KB890859Windows XP Hotfix - KB890923Windows XP Hotfix - KB891781Windows XP Hotfix - KB893066Windows XP Hotfix - KB893086Windows XP Service Pack 2WinZipWordPerfect Office 11Yahoo! Toolbar Link to post Share on other sites
rmurphy Posted February 16, 2008 Report Share Posted February 16, 2008 == Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJava 2 Runtime Environment, SE v1.4.2_06Javaâ„¢ 6 Update 2Javaâ„¢ 6 Update 3Reboot your computer.== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select Yes.== FindAWF Option 3 ==Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):C:\Program Files\AdwareAlert\bakC:\Program Files\CCleaner\bakC:\Program Files\QuickTime\bakC:\Program Files\Windows DefenderC:\WINDOWS\system32\bakC:\Program Files\Alwil Software\Avast4C:\Program Files\Grisoft\AVG7C:\Program Files\HP\HP Software Update\bakC:\Program Files\Adobe\Reader 8.0\Reader\bakC:\WINDOWS\system32\spool\drivers\w32x86\3\bakDouble-click on the FindAWF.exe file to run it.It will open a command prompt and ask you to "Press any key to continue".You will be presented with a Menu.1. Press 1 then Enter to scan for bak folders2. Press 2 then Enter to restore files from bak folders3. Press 3 then Enter to remove bak folders4. Press 4 then Enter to reset domain zones5. Press E then Enter to EXITPress 3, then press Enter.Press any key to continue.A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.The program will proceed to remove the bad folders and will perform another scan for .bak folderIt may take a few minutes to complete so be patient.When it is complete, it will open a text file in notepad called AWF.txt.Please copy and paste the contents of the AWF.txt file in your next reply along with a new HiJack This log.-Ryan Link to post Share on other sites
todechineys02 Posted February 17, 2008 Author Report Share Posted February 17, 2008 Find AWF report by noahdfear ©2006 Version 1.40Option 3 run successfullyThe current date is: Sat 02/16/2008 The current time is: 22:16:52.17 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\QUICKT~1\BAK02/07/2007 08:32 PM 282,624 qttask.exe 1 File(s) 282,624 bytes Directory of C:\PROGRA~1\WIFD1F~1\BAK11/03/2006 07:20 PM 866,584 MSASCui.exe 1 File(s) 866,584 bytes Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK12/04/2007 06:00 AM 79,224 ashDisp.exe 1 File(s) 79,224 bytes Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK01/11/2008 09:09 PM 579,072 avgcc.exe 1 File(s) 579,072 bytes Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK09/28/2004 08:26 PM 32,881 jusched.exe 1 File(s) 32,881 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 282624 Feb 7 2007 "C:\Program Files\QuickTime\qttask.exe" 282624 Feb 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe" 866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" 79224 Dec 4 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" 579072 Jan 11 2008 "C:\Program Files\Grisoft\AVG7\avgcc.exe" 579072 Jan 11 2008 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" 144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" 32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\bak\jusched.exe" 139264 Dec 14 2007 "C:\Program Files\Java\jdk1.6.0_04\jre\bin\jusched.exe" end of reportLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:33:36 PM, on 2/16/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\bak\qttask.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\BCMSMMSG.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTOO4 - HKCU\..\Run: [spyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: *.melaleuca.comO15 - Trusted Zone: http://www.wellsfargo.comO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103003783640O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.5.0.4.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cabO16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37O17 - HKLM\System\CCS\Services\Tcpip\..\{F3C640BD-7822-430B-A97D-32309D1B10D4}: NameServer = 205.171.3.65,205.171.2.65O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dllO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)O21 - SSODL: Adobe Acrobat 5.0 - {74ED521F-7B75-7458-EFE8-A5F313C962AE} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe--End of file - 9960 bytes Link to post Share on other sites
rmurphy Posted February 17, 2008 Report Share Posted February 17, 2008 == Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.== Clear System Restore==Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point. Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan.-Ryan Link to post Share on other sites
todechineys02 Posted February 17, 2008 Author Report Share Posted February 17, 2008 See Attached Link to post Share on other sites
todechineys02 Posted February 17, 2008 Author Report Share Posted February 17, 2008 KASPERSKY ONLINE SCANNER REPORT Sunday, February 17, 2008 10:28:04 AMOperating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)Kaspersky Online Scanner version: 5.0.98.0Kaspersky Anti-Virus database last update: 17/02/2008Kaspersky Anti-Virus database records: 570059Scan Settings Scan using the following antivirus database extended Scan Archives true Scan Mail Bases true Scan Target My Computer A:\C:\D:\E:\F:\G:\ Scan Statistics Total number of scanned objects 82448 Number of viruses found 3 Number of infected objects 5 Number of suspicious objects 0 Duration of the scan process 01:15:37 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12082007-203029.log Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temp\~DFF207.tmp Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\Enigma Software Group\SpyHunter\Backup\insider.exe.dat/Program Files/Insider/Insider.exe Infected: not-a-virus:AdWare.Win32.Insider.a skipped C:\Program Files\Enigma Software Group\SpyHunter\Backup\insider.exe.dat ZIP: infected - 1 skipped C:\QooBox\Quarantine\catchme2008-02-14_190925.29.zip/core.sys Infected: Rootkit.Win32.Agent.sg skipped C:\QooBox\Quarantine\catchme2008-02-14_190925.29.zip ZIP: infected - 1 skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{1328CE5C-DE94-4B3A-A6EA-DFC2E4247BAD}\RP1120\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.b skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\QB GDS P.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_6d4.dat Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed. Link to post Share on other sites
rmurphy Posted February 17, 2008 Report Share Posted February 17, 2008 Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O4 - HKCU\..\Run: [spyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTMLO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cabO18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)Close all open windows except for HiJack This and click fix checked.Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Remove the following files in bold (if found):C:\Program Files\SpyDefender Pro\Reboot your computer.Please rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. -Ryan Link to post Share on other sites
todechineys02 Posted February 20, 2008 Author Report Share Posted February 20, 2008 It didn't show when i rebooted in safe mood.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 12:23:58 PM, on 2/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16608)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeC:\Program Files\Alwil Software\Avast4\aswUpdSv.exeC:\Program Files\Alwil Software\Avast4\ashServ.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\system32\HPZipm12.exeC:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Alwil Software\Avast4\ashMaiSv.exeC:\Program Files\Alwil Software\Avast4\ashWebSv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\QuickTime\bak\qttask.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeC:\Program Files\HP\HP Software Update\HPWuSchd2.exeC:\WINDOWS\system32\hkcmd.exeC:\WINDOWS\BCMSMMSG.exeC:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeC:\Program Files\Java\jre1.6.0_04\bin\jusched.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dllO2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST1.03.0000.1005\en-xu\stmain.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dllO2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dllO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exeO4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [bCMSMMSG] BCMSMMSG.exeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exeO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\ccleaner.exe" /AUTOO4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exeO4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO15 - Trusted Zone: *.melaleuca.comO15 - Trusted Zone: http://www.wellsfargo.comO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cabO16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1103003783640O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.winkflash.com/photo/loaders/ImageUploader4.cabO16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uploads/Fuj...ploadClient.cabO16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocxO16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cabO16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cabO16 - DPF: {BE71A78B-77DB-451C-A761-59B37022D544} (AOL Newport Downloader Ctrl) - http://o.aolcdn.com/pictures/ap/Resources/...ns.10.5.0.4.cabO16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes....cab?v=1,0,0,37O17 - HKLM\System\CCS\Services\Tcpip\..\{F3C640BD-7822-430B-A97D-32309D1B10D4}: NameServer = 205.171.3.65,205.171.2.65O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks Pro\HelpAsyncPluggableProtocol.dllO21 - SSODL: Adobe Acrobat 5.0 - {74ED521F-7B75-7458-EFE8-A5F313C962AE} - (no file)O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exeO23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exeO23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exeO23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exeO23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exeO23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exeO23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exeO23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe--End of file - 9701 bytes Link to post Share on other sites
rmurphy Posted February 20, 2008 Report Share Posted February 20, 2008 Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
Recommended Posts