Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help-Unknown Problem with Internet

Started by jendrea , Feb 03 2008 01:15 PM

Please log in to reply

#1
jendrea

Posted 03 February 2008 - 01:15 PM

New Member

Member
9 posts

I'm having a problem with Internet Explorer running extremely slow and eventually freezing. Whenever we open the internet, it freezes for about 10 minutes before pages finally load and CPU usage is at 100%.
Also have these Perfect Love/Trend Setter pop ups that keep coming up and slowing it down even more.
Thanks in advance for any help or advice.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:01 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [ejrumwuz] C:\WINDOWS\system32\uxidgdet.exe
O4 - HKLM\..\Run: [c85ffc40] rundll32.exe "C:\WINDOWS\system32\__c00D0DD8.dat",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [A00F4F5F1B6.exe] C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\_A00F4F5F1B6.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189872905593
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://voffice.txpc...on.com/NELX.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O20 - Winlogon Notify: __c00F127D - C:\WINDOWS\system32\__c00F127D.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10085 bytes

#2
kahdah

Posted 03 February 2008 - 01:54 PM

GeekU Teacher

Retired Staff
15,822 posts

Hello jendrea

Welcome to G2Go.

=================
Please download ComboFix from Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

#3
jendrea

Posted 03 February 2008 - 03:04 PM

New Member

Topic Starter
Member
9 posts

ok. Here's the ComboFix Report---

ComboFix 08-02.03.1 - HP_Administrator 2008-02-03 14:51:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.516 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\__c00F127D.dat
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\res2\WhiteList.dbs
C:\Documents and Settings\HP_Administrator\Application Data\SpamBlockerUtility_Icons
C:\Documents and Settings\HP_Administrator\Application Data\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll
C:\Program Files\ShoppingReport\Uninst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c0012AD9.dat
C:\WINDOWS\system32\__c001F57C.dat
C:\WINDOWS\system32\__c004E840.dat
C:\WINDOWS\system32\__c009777.dat
C:\WINDOWS\system32\__c00B5E2E.dat
C:\WINDOWS\system32\__c00D0DD8.dat
C:\WINDOWS\system32\__c00F127D.dat
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\Config.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\WINDOWS\system32\config\systemprofile\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\WINDOWS\system32\mcrh.tmp
C:\xcrashdump.dat
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-01 07:04 . 2008-02-01 07:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-01-28 21:37 . 2008-01-28 21:37 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-28 18:13 . 2008-02-03 12:40 1,133,939 ---hs---- C:\WINDOWS\system32\8DD0D00c__.ini
2008-01-21 18:14 . 2008-01-28 18:01 1,165,738 ---hs---- C:\WINDOWS\system32\1312C00c__.ini
2008-01-16 21:39 . 2008-01-16 21:39 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller
2008-01-13 22:05 . 2008-01-21 18:12 1,485,181 ---hs---- C:\WINDOWS\system32\DD9BA00c__.ini
2008-01-12 21:10 . 2008-01-12 21:10 2,107,712 ---hs---- C:\WINDOWS\system32\777900c__.ini2
2008-01-12 21:10 . 2008-01-12 21:10 1,058,312 ---hs---- C:\WINDOWS\system32\777900c__.tmp
2008-01-06 22:18 . 2008-01-10 23:08 1,058,312 ---hs---- C:\WINDOWS\system32\777900c__.ini
2008-01-04 22:08 . 2008-01-06 09:58 1,043,972 ---hs---- C:\WINDOWS\system32\C75F100c__.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 20:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-29 03:37 --------- d-----w C:\Program Files\QuickTime
2008-01-29 03:37 --------- d-----w C:\Program Files\DISC
2008-01-24 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-20 00:21 --------- d-----w C:\Program Files\LimeWire
2008-01-17 13:07 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-11 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-28 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 03:38 --------- d-----w C:\Program Files\Trend Micro
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2006-03-07 18:40:59 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 1,095,256 2007-10-31 02:57:54 C:\Program Files\DISC\bak\DISCover.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\DISC\DISCover.exe

----a-w 249,856 2005-11-10 00:29:16 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 49,152 2005-06-02 06:35:56 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

----a-w 49,152 2005-05-12 14:12:54 C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\QuickTime\qttask.exe

----a-w 90,112 2005-11-01 17:01:00 C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

----a-w 185,456 2007-08-22 02:09:07 C:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

----a-w 230,512 2007-08-22 02:09:07 C:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

----a-w 407,032 2006-07-21 15:43:10 C:\Program Files\Yahoo!\YOP\bak\yop.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\YOP\yop.exe

----a-w 64,512 2005-08-06 04:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-06 04:56:34 C:\WINDOWS\ehome\ehtray.exe

----a-w 237,568 2005-07-23 06:14:00 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 10,256 2008-01-29 03:37:22 C:\WINDOWS\SMINST\RECGUARD.EXE

----a-w 15,360 2004-08-10 04:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 04:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-28 21:37 10256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-01-28 21:37 10256]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2008-01-28 21:37 10256]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-28 21:37 10256]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-01-28 21:37 10256]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2008-01-28 21:37 10256]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 21:37 10256]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2008-01-28 21:37 10256]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2008-01-28 21:37 10256]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2008-01-28 21:37 10256]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-28 21:37 10256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-28 21:37 10256]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-28 21:37 10256]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2008-01-28 21:37 10256]
"ejrumwuz"="C:\WINDOWS\system32\uxidgdet.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 08:23:26 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-03-07 12:59:31 36903]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F127D]
C:\WINDOWS\system32\__c00F127D.dat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e74fcc-7ad6-11dc-bc33-0016175760d0}]
\Shell\AutoRun\command - Autorun.exe /run
\Shell\Shell00\Command - Autorun.exe /run
\Shell\Shell01\Command - Autorun.exe /action
\Shell\Shell02\Command - Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 14:56:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-02-03 15:00:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 21:00:01
.
2008-02-03 18:37:04 --- E O F ---

And here's the new HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:02:50 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKLM\..\Run: [ejrumwuz] C:\WINDOWS\system32\uxidgdet.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189872905593
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://voffice.txpc...on.com/NELX.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O20 - Winlogon Notify: __c00F127D - C:\WINDOWS\system32\__c00F127D.dat (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9008 bytes

#4
kahdah

Posted 03 February 2008 - 03:16 PM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\8DD0D00c__.ini
C:\WINDOWS\system32\1312C00c__.ini
C:\WINDOWS\system32\DD9BA00c__.ini
C:\WINDOWS\system32\777900c__.ini2
C:\WINDOWS\system32\777900c__.tmp
C:\WINDOWS\system32\777900c__.ini
C:\WINDOWS\system32\C75F100c__.ini
C:\WINDOWS\system32\uxidgdet.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ejrumwuz"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00F127D]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:Combofix.txt
=========================================================================
Next
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.

Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1, then press Enter
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#5
jendrea

Posted 03 February 2008 - 04:48 PM

New Member

Topic Starter
Member
9 posts

Here is the combofix.txt & awf.txt file.
Thanks so much for all your help!

ComboFix 08-02.03.1 - HP_Administrator 2008-02-03 16:33:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.548 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\1312C00c__.ini
C:\WINDOWS\system32\777900c__.ini
C:\WINDOWS\system32\777900c__.ini2
C:\WINDOWS\system32\777900c__.tmp
C:\WINDOWS\system32\8DD0D00c__.ini
C:\WINDOWS\system32\C75F100c__.ini
C:\WINDOWS\system32\DD9BA00c__.ini
C:\WINDOWS\system32\uxidgdet.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\1312C00c__.ini
C:\WINDOWS\system32\777900c__.ini
C:\WINDOWS\system32\777900c__.ini2
C:\WINDOWS\system32\777900c__.tmp
C:\WINDOWS\system32\8DD0D00c__.ini
C:\WINDOWS\system32\C75F100c__.ini
C:\WINDOWS\system32\DD9BA00c__.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-02-03 15:00 . 2008-02-03 15:00 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-02-01 07:04 . 2008-02-01 07:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-01-28 21:37 . 2008-01-28 21:37 <DIR> d-------- C:\WINDOWS\system32\bak
2008-01-16 21:39 . 2008-01-16 21:39 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 20:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-29 03:37 --------- d-----w C:\Program Files\QuickTime
2008-01-29 03:37 --------- d-----w C:\Program Files\DISC
2008-01-24 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-20 00:21 --------- d-----w C:\Program Files\LimeWire
2008-01-17 13:07 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-11 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-28 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 03:38 --------- d-----w C:\Program Files\Trend Micro
2007-12-26 02:13 2,642,600 ----a-w C:\WINDOWS\system32\xntnxsko.exe
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 180,269 2006-03-07 18:40:59 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 1,095,256 2007-10-31 02:57:54 C:\Program Files\DISC\bak\DISCover.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\DISC\DISCover.exe

----a-w 249,856 2005-11-10 00:29:16 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 49,152 2005-06-02 06:35:56 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

----a-w 49,152 2005-05-12 14:12:54 C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\HP\HP Software Update\HPwuSchd2.exe

----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\QuickTime\qttask.exe

----a-w 90,112 2005-11-01 17:01:00 C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe

----a-w 185,456 2007-08-22 02:09:07 C:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Antivirus\CAVRID.exe

----a-w 230,512 2007-08-22 02:09:07 C:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Antivirus\CAVTray.exe

----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

----a-w 407,032 2006-07-21 15:43:10 C:\Program Files\Yahoo!\YOP\bak\yop.exe
----a-w 10,256 2008-01-29 03:37:22 C:\Program Files\Yahoo!\YOP\yop.exe

----a-w 64,512 2005-08-06 04:56:34 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-06 04:56:34 C:\WINDOWS\ehome\ehtray.exe

----a-w 237,568 2005-07-23 06:14:00 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 10,256 2008-01-29 03:37:22 C:\WINDOWS\SMINST\RECGUARD.EXE

----a-w 15,360 2004-08-10 04:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-10 04:00:00 C:\WINDOWS\system32\ctfmon.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-28 21:37 10256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2008-01-28 21:37 10256]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2008-01-28 21:37 10256]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-28 21:37 10256]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2008-01-28 21:37 10256]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2008-01-28 21:37 10256]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 21:37 10256]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2008-01-28 21:37 10256]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2008-01-28 21:37 10256]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2008-01-28 21:37 10256]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-28 21:37 10256]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-28 21:37 10256]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-28 21:37 10256]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2008-01-28 21:37 10256]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 08:23:26 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-03-07 12:59:31 36903]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e74fcc-7ad6-11dc-bc33-0016175760d0}]
\Shell\AutoRun\command - Autorun.exe /run
\Shell\Shell00\Command - Autorun.exe /run
\Shell\Shell01\Command - Autorun.exe /action
\Shell\Shell02\Command - Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 16:34:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 16:35:36
ComboFix-quarantined-files.txt 2008-02-03 22:35:31
ComboFix2.txt 2008-02-03 21:00:08
.
2008-02-03 18:37:04 --- E O F ---

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 02/03/2008
The current time is: 16:42:38.15

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\DISC\BAK

10/30/2007 08:57 PM 1,095,256 DISCover.exe
1 File(s) 1,095,256 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 10:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/23/2005 12:14 AM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 10:00 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

11/09/2005 06:29 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/12/2005 08:12 AM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\YAHOO!\ANTIVI~1\BAK

08/21/2007 08:09 PM 185,456 CAVRID.exe
08/21/2007 08:09 PM 230,512 CAVTray.exe
2 File(s) 415,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 08:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\YAHOO!\YOP\BAK

07/21/2006 09:43 AM 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/07/2006 12:40 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/02/2005 12:35 AM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\SONIC\DIGITA~1\DIGITA~1\BAK

11/01/2005 11:01 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

10256 Jan 28 2008 "C:\Program Files\DISC\DISCover.exe"
1095256 Oct 30 2007 "C:\Program Files\DISC\bak\DISCover.exe"
10256 Jan 28 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
10256 Jan 28 2008 "C:\WINDOWS\SMINST\RECGUARD.EXE"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Aug 9 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
10256 Jan 28 2008 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Nov 9 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
10256 Jan 28 2008 "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
10256 Jan 28 2008 "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
185456 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
10256 Jan 28 2008 "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
230512 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
10256 Jan 28 2008 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
10256 Jan 28 2008 "C:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\bak\yop.exe"
10256 Jan 28 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
10256 Jan 28 2008 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
10256 Jan 28 2008 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
10256 Jan 28 2008 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
90112 Nov 1 2005 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe"

end of report

#6
kahdah

Posted 03 February 2008 - 05:41 PM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

"C:\Program Files\DISC\bak\DISCover.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
"C:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
"C:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Yahoo!\YOP\bak\yop.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe"
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 2, then press Enter.
Press any key to continue.
A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
The program will proceed to move the legit files and will perform another scan for .bak folder
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#7
jendrea

Posted 03 February 2008 - 07:23 PM

New Member

Topic Starter
Member
9 posts

new awf.txt file

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 02/03/2008
The current time is: 19:19:59.30

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\DISC\BAK

10/30/2007 08:57 PM 1,095,256 DISCover.exe
1 File(s) 1,095,256 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\WINDOWS\EHOME\BAK

08/05/2005 10:56 PM 64,512 ehtray.exe
1 File(s) 64,512 bytes

Directory of C:\WINDOWS\SMINST\BAK

07/23/2005 12:14 AM 237,568 RECGUARD.EXE
1 File(s) 237,568 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/09/2004 10:00 PM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

11/09/2005 06:29 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

05/12/2005 08:12 AM 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\YAHOO!\ANTIVI~1\BAK

08/21/2007 08:09 PM 185,456 CAVRID.exe
08/21/2007 08:09 PM 230,512 CAVTray.exe
2 File(s) 415,968 bytes

Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007 08:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes

Directory of C:\PROGRA~1\YAHOO!\YOP\BAK

07/21/2006 09:43 AM 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/07/2006 12:40 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

06/02/2005 12:35 AM 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\SONIC\DIGITA~1\DIGITA~1\BAK

11/01/2005 11:01 AM 90,112 DMAScheduler.exe
1 File(s) 90,112 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

1095256 Oct 30 2007 "C:\Program Files\DISC\DISCover.exe"
1095256 Oct 30 2007 "C:\Program Files\DISC\bak\DISCover.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.EXE"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
15360 Aug 9 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 9 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
249856 Nov 9 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Nov 9 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
185456 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
185456 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
230512 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
230512 Aug 21 2007 "C:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "C:\Program Files\Yahoo!\YOP\bak\yop.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 7 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"
36975 Aug 27 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
90112 Nov 1 2005 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe"
90112 Nov 1 2005 "C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak\DMAScheduler.exe"

end of report

#8
kahdah

Posted 03 February 2008 - 07:28 PM

GeekU Teacher

Retired Staff
15,822 posts

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Program Files\DISC\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Yahoo!\Antivirus\bak
C:\Program Files\Yahoo!\Search Protection\bak
C:\Program Files\Yahoo!\YOP\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\bak
C:\Program Files\Messenger\BAK
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
You will be presented with a Menu.

1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 3, then press Enter.
Press any key to continue.
A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
The program will proceed to remove the bad folders and will perform another scan for .bak folder
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt.
Please copy and paste the contents of the AWF.txt file in your next reply.

#9
jendrea

Posted 03 February 2008 - 07:56 PM

New Member

Topic Starter
Member
9 posts

new findawf.txt file...

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 02/03/2008
The current time is: 19:55:31.87

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

#10
kahdah

Posted 03 February 2008 - 07:57 PM

GeekU Teacher

Retired Staff
15,822 posts

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#11
jendrea

Posted 03 February 2008 - 09:42 PM

New Member

Topic Starter
Member
9 posts

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 03, 2008 9:40:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/02/2008
Kaspersky Anti-Virus database records: 546515
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 115645
Number of viruses found: 32
Number of infected objects: 96
Number of suspicious objects: 0
Duration of the scan process: 01:14:45

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20071228133725\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cd152.tmp.exe/data0013/data0005 Infected: not-a-virus:AdWare.Win32.Shopper.l skipped
C:\Deckard\System Scanner\20071228133725\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cd152.tmp.exe/data0013 Infected: not-a-virus:AdWare.Win32.Shopper.l skipped
C:\Deckard\System Scanner\20071228133725\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\cd152.tmp.exe NSIS: infected - 2 skipped
C:\Deckard\System Scanner\20071228133725\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Installer.exe/data0005 Infected: not-a-virus:AdWare.Win32.Shopper.l skipped
C:\Deckard\System Scanner\20071228133725\backup\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\Installer.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04286867.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04286867.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04286867.zip CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D CryptFF: infected - 1 skipped
C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\2502616114.exe Infected: Trojan.Win32.KillAV.oe skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_hphtra07.log Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DFFB9B.tmp Object is locked skipped
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Administrator\Shared\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\HP_Administrator\Shared\Top of Charts - 2003.wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\HP_Administrator\Shared\TOTALLY HIP TRACK (baby).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\master.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\model.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\modellog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Data\templog.ldf Object is locked skipped
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000003.FCS Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbHostIE.dll_tobedeleted Infected: not-a-virus:AdWare.Win32.HotBar.bx skipped
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbToolbar.dll_tobedeleted_old Infected: not-a-virus:AdWare.Win32.HotBar.be skipped
C:\QooBox\Quarantine\C\Program Files\ShoppingReport\Bin\2.0.24\ShoppingReport.dll.vir Infected: not-a-virus:AdWare.Win32.Shopper.l skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c0012AD9.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c001F57C.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c004E840.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c009777.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00B5E2E.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\__c00D0DD8.dat.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ecc skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0019062.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020026.exe Infected: not-a-virus:AdWare.Win32.HotBar.bw skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020027.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020027.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020029.exe Infected: not-a-virus:AdWare.Win32.HotBar.bt skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020031.exe Infected: not-a-virus:AdWare.Win32.HotBar.bw skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020032.exe Infected: not-a-virus:AdWare.Win32.HotBar.by skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020033.dll Infected: not-a-virus:AdWare.Win32.HotBar.bi skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020035.dll Infected: not-a-virus:AdWare.Win32.HotBar.be skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020039.dll Infected: not-a-virus:AdWare.Win32.HotBar.be skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020043.dll Infected: not-a-virus:AdWare.Win32.HotBar.bj skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020044.dll Infected: not-a-virus:AdWare.Win32.HotBar.be skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020045.dll Infected: not-a-virus:AdWare.Win32.HotBar.ar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020046.dll Infected: not-a-virus:AdWare.Win32.HotBar.bx skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020047.dll Infected: not-a-virus:AdWare.Win32.HotBar.bz skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020054.exe Infected: not-a-virus:AdWare.Win32.HotBar.bt skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020055.exe/stream/data0010/data0008 Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020055.exe/stream/data0010 Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020055.exe/stream Infected: not-a-virus:AdWare.Win32.Shopper.q skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP33\A0020055.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0021250.DLL Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022259.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022260.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022261.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022263.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022265.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022266.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022267.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022268.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022269.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022270.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022271.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022272.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022273.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022274.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022275.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022276.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022277.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022279.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022280.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022282.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022284.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022285.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022286.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022287.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022288.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022289.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022300.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022301.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022303.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022304.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022305.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP35\A0022319.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP73\A0031962.dll Infected: not-a-virus:AdWare.Win32.Shopper.l skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032085.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032086.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032088.EXE Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032090.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032091.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032092.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032093.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032094.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032095.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032096.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032097.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032098.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\A0032099.exe Infected: Trojan-Downloader.Win32.Agent.iar skipped
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP74\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ACB4B15E-D85C-44D9-9270-B16B2BA6CF07}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xntnxsko.exe/data0018/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\xntnxsko.exe/data0018/data0003 Infected: not-a-virus:AdWare.Win32.180Solutions.ay skipped
C:\WINDOWS\system32\xntnxsko.exe/data0018/data0004 Infected: not-a-virus:AdWare.Win32.HotBar.bi skipped
C:\WINDOWS\system32\xntnxsko.exe/data0018 Infected: not-a-virus:AdWare.Win32.HotBar.bi skipped
C:\WINDOWS\system32\xntnxsko.exe NSIS: infected - 4 skipped
C:\WINDOWS\Temp\Perflib_Perfdata_7f0.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#12
kahdah

Posted 04 February 2008 - 01:58 AM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\Documents and Settings\HP_Administrator\Shared\Eighties classic.wma 
C:\Documents and Settings\HP_Administrator\Shared\Top of Charts - 2003.wma 
C:\WINDOWS\system32\xntnxsko.exe
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04286867.zip
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D/vmain.class 
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D ZIP
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbHostIE.dll_tobedeleted 
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbToolbar.dll_tobedeleted_old 
Folder::
C:\Deckard

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#13
jendrea

Posted 04 February 2008 - 07:17 AM

New Member

Topic Starter
Member
9 posts

New Reports

ComboFix 08-02.03.1 - HP_Administrator 2008-02-04 6:54:31.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.485 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Administrator\Desktop\cfscript.txt
* Created a new restore point

FILE
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04286867.zip
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D ZIP
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\248F100D/vmain.class
C:\Documents and Settings\HP_Administrator\Shared\Eighties classic.wma
C:\Documents and Settings\HP_Administrator\Shared\Top of Charts - 2003.wma
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbHostIE.dll_tobedeleted
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq272.tmp\Bin\4.8.4.0\SbToolbar.dll_tobedeleted_old
C:\WINDOWS\system32\xntnxsko.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Deckard
C:\Documents and Settings\HP_Administrator\Shared\Eighties classic.wma
C:\Documents and Settings\HP_Administrator\Shared\Top of Charts - 2003.wma
C:\WINDOWS\system32\xntnxsko.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 20:04 . 2008-02-03 20:04 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-03 20:04 . 2008-02-03 20:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-02-03 20:04 . 2008-02-03 20:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-01 07:04 . 2008-02-01 07:04 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Yahoo!
2008-01-16 21:39 . 2008-01-16 21:39 <DIR> d-------- C:\Documents and Settings\HP_Administrator\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 01:55 --------- d-----w C:\Program Files\QuickTime
2008-02-04 01:55 --------- d-----w C:\Program Files\DISC
2008-02-03 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-02 20:11 --------- d-----w C:\Documents and Settings\HP_Administrator\Application Data\LimeWire
2008-01-24 16:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-20 00:21 --------- d-----w C:\Program Files\LimeWire
2008-01-17 13:07 --------- d-----w C:\Program Files\Yahoo!
2008-01-13 03:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-11 02:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 02:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-28 14:17 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-28 14:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-28 03:38 --------- d-----w C:\Program Files\Trend Micro
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\system32\dllcache\jscript.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2005-09-24 15:49 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 22:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59 224248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56 64512]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-02 00:35 49152]
"DMAScheduler"="c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe" [2005-11-01 11:01 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-23 00:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-11-09 18:29 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPwuSchd2.exe" [2005-05-12 08:12 49152]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-03-07 12:40 180269]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-08-21 20:09 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-08-21 20:09 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 09:43 407032]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 08:59 224248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2007-10-30 20:57 1095256]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-12 08:23:26 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-03-07 12:59:31 36903]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7e74fcc-7ad6-11dc-bc33-0016175760d0}]
\Shell\AutoRun\command - Autorun.exe /run
\Shell\Shell00\Command - Autorun.exe /run
\Shell\Shell01\Command - Autorun.exe /action
\Shell\Shell02\Command - Autorun.exe /uninstall

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 06:58:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-04 6:59:00
ComboFix-quarantined-files.txt 2008-02-04 12:58:50
ComboFix2.txt 2008-02-03 22:35:38
ComboFix3.txt 2008-02-03 21:00:08
.
2008-02-03 18:37:04 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:15 AM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...a...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.h...a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.h...a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
O4 - HKLM\..\Run: [DMAScheduler] c:\Program Files\Sonic\DigitalMedia Plus\DigitalMedia Archive\DMAScheduler.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe nogui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.co...IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1005.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1189872905593
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://voffice.txpc...on.com/NELX.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} (Imikimi_activex_plugin Control) - http://imikimi.com/d...kimi_plugin.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8858 bytes

#14
kahdah

Posted 04 February 2008 - 07:00 PM

GeekU Teacher

Retired Staff
15,822 posts

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK
The above procedure will:
Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Clean System Restore points.

Also delete anything that we used that is left over.
==================================
After that Your log is clean.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here