[Robleh]

Hi i have an Acer Travelmate 2420 notebook, and about two or three days ago, i started seeing this page in my history on which i have never been on: a.doginhispen.com and sometimes b.skitodayplease.com. Im using IE7 and i have norton 360 installed and up to date. I always play it safe on my computer avoiding porn sites and i've never downloaded p2p programs like limewire. Anyways i reaserched it and found out it was actually some sort of trojan horse that slowly takes over. I have already seen some strange things happening like the Empowering technology not working properly and power management. Norton 360 couldn't locate anything and says my computer is fine. But i ran panda last night and i think it found where the virus is installed. As u'll see from the log below, i highly suspect the area panda marked as possible virus because i've been having problems with these programs lately. Please any help or advice will greatly appreciated, i've always trusted this website.

panda scan

Incident Status Location

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@doubleclick[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@atdmt[2].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@overture[1].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@mediaplex[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@serving-sys[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@zedo[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@casalemedia[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@realmedia[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@tribalfusion[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Robleh\Cookies\[email protected][2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@com[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Robleh\Cookies\robleh@advertising[2].txt
Possible Virus. Not disinfected C:\ProgramFiles\Synaptics\SynTP\SynTPLpr.exe
Possible Virus. Not disinfected C:\ProgramFiles\Synaptics\SynTP\SynTPEnh.exe
Possible Virus. Not disinfected C:\Program Files\Adobe\Reade8.\Reader\Reader_sl.exe
Possible Virus. Not disinfected C:\ProgramFiles\Java\jre1.6.0_\BIN\JUSCHED.EXE
Possible Virus. Not disinfected C:\ProgramFiles\QuickTime\QTTASK.EXE
Possible Virus. Not disinfected C:\Acer\Empowering Technology\ePower\EPMDM.EXE Possible Virus. Not disinfected C:\Acer\EmpoweringTechnology\eRecovery\Monitor.exe
Possible Virus. Not disinfected C:\Acer\EmpoweringTechnology\eDataSecurity\eDSloader.exe

hijack this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:53 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Windows\RUNXMLPL.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IE - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cub: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .cube: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .dx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .emb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .embl: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .gau: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .jdx: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mol: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .mop: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .pdb: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .rxn: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .scr: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .skc: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .spt: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .tgf: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .xyz: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by130fd.bay13...es/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10908 bytes

[Advertisements]

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:

• Re-Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager"
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

When asked to "Save As" save Combofix.exe as Combo-Fix.exe

• Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

I notice that you have had a couple of logs here in the Malware forum, where you have not responded to the assistance given, and the logs have been closed due to lack of feedback.

Please continue with this log until it is clear, or at least let me know that you no longer require assistance, if that becomes the case.

Regards,
RatHat

[RatHat]

Hi there,

Welcome to GeeksToGo. My name is RatHat, and I will help you get through the process of cleaning the malware from your computer.


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with.

Next, I would like to make sure that you can view hidden files and folders;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Under the Hidden files and folders heading SELECT Show hidden files and folders.
• UNCHECK the Hide protected operating system files (recommended) option.
• UNCHECK the Hide extensions for known file types option.
• Click Yes to confirm.
• Click OK.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please post me an Uninstall List from HijackThis:

• Re-Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager"
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Download ComboFix from Here, Here or Here to your Desktop. (If you already have ComboFix, please delete it and download this new version).

When asked to "Save As" save Combofix.exe as Combo-Fix.exe

• Now physically disconnect from the internet and STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields)
• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

I notice that you have had a couple of logs here in the Malware forum, where you have not responded to the assistance given, and the logs have been closed due to lack of feedback.

Please continue with this log until it is clear, or at least let me know that you no longer require assistance, if that becomes the case.

Regards,
RatHat

[Robleh]

Thx for answering, the reason i don't always reply is because i don't always have access to internet and usually help comes really late, although its always appreciated. Before i follow your instructions, i would just like to mention that while i was waiting for help, i downloaded the free version edition of AVG anti-virus and I ran it, and it found all the files i was suspecting (panda scan) the virus to be in, and deleted them or at least put them in the virus vault, that was yesterday, and eversince i havent seen the a.doginhispen.com or the b.skitodayplease.com sites in my history. Now, i realise it may be to early to declare victory, but do you think it's reaally gone?

[RatHat]

I doubt very much that it has all gone. AWF can be a persistent bugger, so I would prefer if you could carry out all my recommendations, so we can make sure that it really has gone.

Regards,
RatHat

[Robleh]

Hello RatHat, again please note that i really appreciate your help, i followed all your instructions at least i hope so. There's one thing i should mention, when i ran Combofix, at some point my computer restarted itself afterwhich it generated the log file, i dont know if thats normal. Well here we go, im going to attach the 3 files u requested for. because i think pasting them will make the message too long. And also u were right, the a.doginhispen.com came back today so there.

Attached Files

•  uninstall_list.txt   7.2KB   117 downloads
•  awf.txt   5.81KB   158 downloads
•  log.txt   11.83KB   174 downloads

[RatHat]

Looks like most of AWF has been cleaned, but there are a couple of entries remaining, so lets get rid of them!

• Copy the file paths below to the clipboard by highlighting ALL of them, including the quote marks, and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
  "C:\Acer\Empowering Technology\ePower\bak\epm-dm.exe"
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 2, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

OH, and Combofix rebooting your computer is normal. It needs to to remove dificult files, which it has done.

Regards,
RatHat

[Robleh]

Awesome, i did as i you said, i still find copying and pasting the log file is really messy so im going to attach it, plz let me know if its preferable to paste it directly on the post. God bless u!!!

Attached Files

•  awf2.txt   5.78KB   192 downloads

[RatHat]

OK, we're getting there!

If possible, it is better to copy and paste small reports into your replies. Only attach long logs so they dont get broken up.

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Program Files\Grisoft\AVG7\bak
  C:\Acer\Empowering Technology\ePower\bak
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

Regards,
RatHat

[Robleh]

Hello RatHat, here's the latest AWF log im gonna past it and attach it just in case, thx for the help doc!!

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 02/05/2008
The current time is: 17:17:24.54


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/19/2005 05:09 PM 32,768 RUNXMLPL.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
08/24/2005 12:47 PM 77,824 hkcmd.exe
08/24/2005 12:51 PM 114,688 igfxpers.exe
08/24/2005 12:50 PM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\LAUNCH~1\BAK

09/16/2003 02:28 PM 20,480 CtrlVol.exe
04/20/2006 11:26 AM 69,632 HotkeyApp.exe
07/25/2005 01:36 PM 32,768 LaunchAp.exe
07/25/2005 10:45 AM 241,664 OSDCtrl.exe
04/20/2006 09:23 AM 86,016 Wbutton.exe
5 File(s) 450,560 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/21/2006 04:01 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\ACER\EMPOWE~1\BAK

10/24/2005 04:45 PM 2,462,208 admtray.exe
1 File(s) 2,462,208 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/04/2004 05:00 AM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/10/2007 01:59 AM 115,816 ccApp.exe
1 File(s) 115,816 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

02/04/2005 11:11 AM 708,698 SynTPEnh.exe
02/04/2005 11:12 AM 102,490 SynTPLpr.exe
2 File(s) 811,188 bytes

Directory of C:\ACER\EMPOWE~1\ERECOV~1\BAK

01/24/2006 06:00 PM 397,312 Monitor.exe
1 File(s) 397,312 bytes

Directory of C:\ACER\EMPOWE~1\EDATAS~1\BAK

12/27/2005 03:50 PM 69,632 eDSloader.exe
1 File(s) 69,632 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/04/2004 05:00 AM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/04/2004 05:00 AM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 04:30 PM 81,920 issch.exe
08/11/2005 04:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 May 19 2005 "C:\WINDOWS\bak\RUNXMLPL.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
94208 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
77824 Aug 24 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
32768 Jul 25 2005 "C:\Program Files\Launch Manager\bak\LaunchAp.exe"
69632 Apr 20 2006 "C:\Program Files\Launch Manager\bak\HotkeyApp.exe"
20480 Sep 16 2003 "C:\Program Files\Launch Manager\bak\CtrlVol.exe"
241664 Jul 25 2005 "C:\Program Files\Launch Manager\bak\OSDCtrl.exe"
86016 Apr 20 2006 "C:\Program Files\Launch Manager\bak\Wbutton.exe"
282624 Nov 21 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
2462208 Oct 24 2005 "C:\Acer\Empowering Technology\bak\admtray.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\imjpmig.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
14860 Feb 4 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
397312 Jan 24 2006 "C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe"
69632 Dec 27 2005 "C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

Attached Files

•  awf3.txt   5.49KB   127 downloads

[RatHat]

Well it looks like we have another file to remove, so this time we will need to go through the steps again, but also to rename the text files that FixAWF produces:

• Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 2, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Save the text file to your desktop as AWF1.txt
• Please copy and paste the contents of the AWF1.txt file in your next reply.

Now lets carry out the second stage again

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Program Files\Common Files\Symantec Shared\bak
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Save the text file to your desktop as AWF2.txt
• Please copy and paste the contents of the AWF2.txt file in your next reply.

Finally lets clean the trusted zones:

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 4, then press Enter.
• You will receive a warning to reset domain zones
• Press 1 then press Enter.
• If you have manually included sites in the trusted zones, these will need to be re-inserted.

So could you post me the two AWF text fliel in your next reply by copying them and pasting them into your post.

Regards,
RatHat

[Robleh]

Here are the log files, just out of curiosity, i dont really know whats going on but is there some sort of an area on my computer where the virus is creating all those log files? if yes, have we found it yet? just for my own knowledge...

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Tue 02/05/2008
The current time is: 19:47:56.78


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/19/2005 05:09 PM 32,768 RUNXMLPL.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
08/24/2005 12:47 PM 77,824 hkcmd.exe
08/24/2005 12:51 PM 114,688 igfxpers.exe
08/24/2005 12:50 PM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\LAUNCH~1\BAK

09/16/2003 02:28 PM 20,480 CtrlVol.exe
04/20/2006 11:26 AM 69,632 HotkeyApp.exe
07/25/2005 01:36 PM 32,768 LaunchAp.exe
07/25/2005 10:45 AM 241,664 OSDCtrl.exe
04/20/2006 09:23 AM 86,016 Wbutton.exe
5 File(s) 450,560 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/21/2006 04:01 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\ACER\EMPOWE~1\BAK

10/24/2005 04:45 PM 2,462,208 admtray.exe
1 File(s) 2,462,208 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/04/2004 05:00 AM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/10/2007 01:59 AM 115,816 ccApp.exe
1 File(s) 115,816 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

02/04/2005 11:11 AM 708,698 SynTPEnh.exe
02/04/2005 11:12 AM 102,490 SynTPLpr.exe
2 File(s) 811,188 bytes

Directory of C:\ACER\EMPOWE~1\ERECOV~1\BAK

01/24/2006 06:00 PM 397,312 Monitor.exe
1 File(s) 397,312 bytes

Directory of C:\ACER\EMPOWE~1\EDATAS~1\BAK

12/27/2005 03:50 PM 69,632 eDSloader.exe
1 File(s) 69,632 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/04/2004 05:00 AM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/04/2004 05:00 AM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 04:30 PM 81,920 issch.exe
08/11/2005 04:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 May 19 2005 "C:\WINDOWS\bak\RUNXMLPL.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
94208 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
77824 Aug 24 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
32768 Jul 25 2005 "C:\Program Files\Launch Manager\bak\LaunchAp.exe"
69632 Apr 20 2006 "C:\Program Files\Launch Manager\bak\HotkeyApp.exe"
20480 Sep 16 2003 "C:\Program Files\Launch Manager\bak\CtrlVol.exe"
241664 Jul 25 2005 "C:\Program Files\Launch Manager\bak\OSDCtrl.exe"
86016 Apr 20 2006 "C:\Program Files\Launch Manager\bak\Wbutton.exe"
282624 Nov 21 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
2462208 Oct 24 2005 "C:\Acer\Empowering Technology\bak\admtray.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\imjpmig.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
397312 Jan 24 2006 "C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe"
69632 Dec 27 2005 "C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 02/05/2008
The current time is: 19:51:59.51


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/19/2005 05:09 PM 32,768 RUNXMLPL.exe
1 File(s) 32,768 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
08/24/2005 12:47 PM 77,824 hkcmd.exe
08/24/2005 12:51 PM 114,688 igfxpers.exe
08/24/2005 12:50 PM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\LAUNCH~1\BAK

09/16/2003 02:28 PM 20,480 CtrlVol.exe
04/20/2006 11:26 AM 69,632 HotkeyApp.exe
07/25/2005 01:36 PM 32,768 LaunchAp.exe
07/25/2005 10:45 AM 241,664 OSDCtrl.exe
04/20/2006 09:23 AM 86,016 Wbutton.exe
5 File(s) 450,560 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/21/2006 04:01 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\ACER\EMPOWE~1\BAK

10/24/2005 04:45 PM 2,462,208 admtray.exe
1 File(s) 2,462,208 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

08/04/2004 05:00 AM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

11/02/2004 08:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK

02/04/2005 11:11 AM 708,698 SynTPEnh.exe
02/04/2005 11:12 AM 102,490 SynTPLpr.exe
2 File(s) 811,188 bytes

Directory of C:\ACER\EMPOWE~1\ERECOV~1\BAK

01/24/2006 06:00 PM 397,312 Monitor.exe
1 File(s) 397,312 bytes

Directory of C:\ACER\EMPOWE~1\EDATAS~1\BAK

12/27/2005 03:50 PM 69,632 eDSloader.exe
1 File(s) 69,632 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

08/04/2004 05:00 AM 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

08/04/2004 05:00 AM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

08/11/2005 04:30 PM 81,920 issch.exe
08/11/2005 04:30 PM 249,856 isuspm.exe
2 File(s) 331,776 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007 07:51 PM 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

32768 May 19 2005 "C:\WINDOWS\bak\RUNXMLPL.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
94208 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
77824 Aug 24 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Aug 24 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
32768 Jul 25 2005 "C:\Program Files\Launch Manager\bak\LaunchAp.exe"
69632 Apr 20 2006 "C:\Program Files\Launch Manager\bak\HotkeyApp.exe"
20480 Sep 16 2003 "C:\Program Files\Launch Manager\bak\CtrlVol.exe"
241664 Jul 25 2005 "C:\Program Files\Launch Manager\bak\OSDCtrl.exe"
86016 Apr 20 2006 "C:\Program Files\Launch Manager\bak\Wbutton.exe"
282624 Nov 21 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
2462208 Oct 24 2005 "C:\Acer\Empowering Technology\bak\admtray.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\imjpmig.exe"
208952 Aug 4 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPLpr.exe"
102490 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\Media\SynTPEnh.exe"
708698 Feb 4 2005 "C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
397312 Jan 24 2006 "C:\Acer\Empowering Technology\eRecovery\bak\Monitor.exe"
69632 Dec 27 2005 "C:\Acer\Empowering Technology\eDataSecurity\bak\eDSloader.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe"
59392 Aug 4 2004 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 4 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
249856 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe"
81920 Aug 11 2005 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"


end of report

thx for the help

[RatHat]

Here are the log files, just out of curiosity, i dont really know whats going on but is there some sort of an area on my computer where the virus is creating all those log files? if yes, have we found it yet? just for my own knowledge...

Yes, thats what we have been doing! AWF creates folders on your system where it puts the original files, and replaces them with infected files. We have been undoing that.

Now could you run Combofix again please, as outlined in Post 2.

Next, download DrWeb-CureIt & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with DrWeb-CureIt as follows:

• Double-click on drweb-cureit.exe to start the program. An "Express Scan of your PC" notice will appear.
• Under "Start the Express Scan Now", Click "OK" to start. This is a short scan that will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan tab" and UNcheck "Heuristic analysis"
• Back at the main window, click "Select drives" (a red dot will show which drives have been chosen)
• Then click the "Start/Stop Scanning" button (green arrow on the right) and the scan will start.
• When done, a message will be displayed at the bottom advising if any viruses were found.
• Click "Yes to all" if it asks if you want to cure/move the file.
• When the scan has finished, look if you can see the icon next to the files found. If so, click it, then click the next icon right below and select "Move incurable".
  (This will move it to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if it can't be cured)
• Next, in the Dr.Web CureIt menu on top, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finally, run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display the results if your system has been infected.
  
  • Now click on the Save as Text button:
• Save the file to your desktop as Kaspersky.txt.
• Attach Kaspersky.txt in your next post.

Regards,
RatHat

[Robleh]

Hello RatHat again i'd like to thank you for all your help, but just a few minutes ago i had the scare of my life lol!!!! I did as you said i ran combofix which by the way didnt restart my computer this time and im gonna attach the log. then i downloaded DrWeb, i restarted the computer in safe mode, i had to choose between two users, administrator and Robleh, i chose the latter. Then i went ahead and ran DrWeb, it didnt automaticly ask me for a quick scan, instead i had either between update or start so i picked start, then it offered the quick scan and i clicked ok, and then after 10 seconds my computer just shut itself off. so i restarted again in safe mode and ran DrWeb, same thing happened. I went for a 3rd time but this time instead of starting in safe mode my computer showed a black screen filled with lines like "C/windows/drivers/dfd/" all the way down. it stayed like that for about 5 min and then the computer turned itself off. I restarted in normal mode and here i am. I dont know what happened but i really freaked out!!! Sorry but im a noob in computers and i love mine!!! I didnt run the kaspersky online scan cuz i was afraid the virus might create one of those bak files about it too. So my question is, is it possible to run DrWeb in normal mode while disconnected from the internet? Is there another way to fix this? Anyway thx for your advice.

Attached Files

•  log1.txt   10.06KB   194 downloads

[RatHat]

Can you run the Kaspersky scan and post the results please.

Regards,
RatHat

[Robleh]

Hello RatHat, here's the kaspersky logafter a 2 hours scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, February 06, 2008 7:18:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/02/2008
Kaspersky Anti-Virus database records: 552584
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 62480
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 02:06:27

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\Temp\JETE8DF.tmp Object is locked skipped
C:\WINDOWS\Temp\JETEBAE.tmp Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-02-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\37893C03.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\EA4B1E71.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robleh\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robleh\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Temp\~DFF25.tmp Object is locked skipped
C:\Documents and Settings\Robleh\Local Settings\Temp\~DFF2F.tmp Object is locked skipped
C:\Documents and Settings\Robleh\Cookies\index.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP176\change.log Object is locked skipped

Scan process completed.