Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AIM/AOL Problem

Started by AGK112586 , Feb 11 2008 07:32 PM

  • Please log in to reply

#1
AGK112586
Posted 11 February 2008 - 07:32 PM

AGK112586

    Member

  • Member
  • PipPip
  • 10 posts
I got an IM from someone on my Buddy List that said something like, "click here to see my new album." But, the hyperlink didn't work and I was stupid enough to copy and paste it into my internet browser, and then it just said that the page was not found. My account lasted the rest of the day, but now it won't let me log into my AIM or my important AOL email (they AIM and AOL are the same account).

Thanks for your help!

Logfile of HijackThis v1.99.1
Scan saved at 8:14:16 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\RSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\urtclsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462

\GoogleToolbarNotifier.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\a?sembly\j?vaw.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTADA.EXE
C:\Documents and Settings\karasalg\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-

D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program

Files\WinBudget\bin\matrix.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1

\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} -

C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B3DDF548-69F2-697C-8B5C-31E607F20FC4} -

C:\WINDOWS\system32\bqretee.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} -

C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tte] "C:\Program Files\Common Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Dzlumr] C:\WINDOWS\system32\?ssembly\t?skmgr.exe
O4 - HKCU\..\Run: [Dmcf] "C:\Program Files\??crosoft\?canregw.exe"
O4 - HKCU\..\Run: [Lywee] C:\WINDOWS\system32\F?nts\j?vaw.exe
O4 - HKCU\..\Run: [Iqqcrz] "C:\Program Files\Common Files\??mbols\??

oolsv.exe"
O4 - HKCU\..\Run: [Vvek] "C:\Program Files\Common Files\?icrosoft\??

xplore.exe"
O4 - HKCU\..\Run: [Mvca] "C:\Program Files\Common Files\?ssembly\m?dtc.exe"
O4 - HKCU\..\Run: [Rrpga] C:\WINDOWS\system32\W?nSxS\w?nlogon.exe
O4 - HKCU\..\Run: [Macaufc] "C:\Documents and Settings\karasalg\Application

Data\M?crosoft\r?ndll.exe"
O4 - HKCU\..\Run: [Vhs] "C:\Documents and Settings\karasalg\Application

Data\?ymbols\m?config.exe"
O4 - HKCU\..\Run: [Hxl] "C:\Program Files\Common Files\F?nts\??anregw.exe"
O4 - HKCU\..\Run: [Xvvzo] "C:\Program Files\Common Files\?racle\r?gedit.exe"
O4 - HKCU\..\Run: [Taxbe] C:\WINDOWS\system32\F?nts\?ti2evxx.exe
O4 - HKCU\..\Run: [Eseougo] "C:\Documents and Settings\karasalg\My

Documents\F?nts\j?vaw.exe"
O4 - HKCU\..\Run: [Deya] C:\WINDOWS\M?crosoft\??xplore.exe
O4 - HKCU\..\Run: [Onuc] "C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe"

-vt ndrv
O4 - HKCU\..\Run: [Ojkgbwgx] "C:\Program Files\?icrosoft\m?hta.exe"
O4 - HKCU\..\Run: [Ivzalv] "C:\Program Files\M?crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [Ggjpum] "C:\Documents and Settings\karasalg\Application

Data\s?stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Lkgiuc] "C:\Program Files\a?sembly\j?vaw.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US

ee://aol/imApp
O4 - HKCU\..\Run: [Hefqxb] "C:\Program Files\Common Files\??pPatch\m?

iexec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program

Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program

Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program

Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim

toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} -

C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-

6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) -

http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) -

http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) -

http://www.funnytaf....ler/Install.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) -

https://web-student-...du/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader

Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros.../client/wuweb_s

ite.cab?1120154725453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object)

- http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...86/client/muweb

_site.cab?1120154971062
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader

Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE

Player Class) - http://mvnet.xlontec...2ie06101001.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program

Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32

\Novell\XtNotify.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. -

C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec

Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32

\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program

Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. -

C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program

Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management

Agent) - Novell, Inc. - C:\Program

Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) -

Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%

\WinPcap\rpcapd.ini (file missing)
O23 - Service: Restart Service X (RSX) - Unknown owner - C:\WINDOWS\system32

\srvany.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation

- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program

Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: URT Client Service (urtclientservice) - Unknown owner -

C:\WINDOWS\system32\urtclsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program

Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. -

C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program

Files\Novell\ZENworks\wm.exe
  • 0

Advertisements

#2
kahdah
Posted 11 February 2008 - 07:43 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello AGK112586

Welcome to G2Go. :)
===========================
Whatever you were sent balsted you with a few infections.
Let's get you cleaned up and we will go from there.
===========================
Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
AGK112586
Posted 11 February 2008 - 08:57 PM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
ComboFix 08-02-12.1 - karasalg 2008-02-11 20:52:18.1 - NTFSx86
Running from: C:\Documents and Settings\karasalg\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\karasalg\Application Data\DOBE~1
C:\Documents and Settings\karasalg\Application Data\FNTS~1
C:\Documents and Settings\karasalg\Application Data\MCROSO~1
C:\Documents and Settings\karasalg\Application Data\PPATCH~1
C:\Documents and Settings\karasalg\Application Data\SSTEM3~1
C:\Documents and Settings\karasalg\Application Data\WinTouch
C:\Documents and Settings\karasalg\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\karasalg\Application Data\YMBOLS~1
C:\Documents and Settings\karasalg\My Documents\CROSOF~1.NET
C:\Documents and Settings\karasalg\My Documents\ECURIT~1
C:\Documents and Settings\karasalg\My Documents\FNTS~1
C:\Documents and Settings\karasalg\My Documents\PPATCH~1
C:\Documents and Settings\karasalg\My Documents\PPPATC~1
C:\Documents and Settings\karasalg\My Documents\SCURIT~1
C:\Documents and Settings\karasalg\My Documents\SCURIT~1\chkntfs.exe
C:\Documents and Settings\karasalg\My Documents\SCURIT~1\s?curity\
C:\Documents and Settings\karasalg\My Documents\SSTEM3~1
C:\Documents and Settings\karasalg\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\karasalg\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\karasalg\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\karasalg\Start Menu\Programs\Outerinfo
C:\Documents and Settings\karasalg\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\karasalg\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\asembl~1
C:\Program Files\asembl~1\j?vaw.exe
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\mbols~1\??oolsv.exe
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\ppatch~1\m?iexec.exe
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\ssembl~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\crosof~1
C:\Program Files\crosof~1\?canregw.exe
C:\Program Files\dobe~1
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\Program Files\ISM
C:\Program Files\ISM\bndloader.exe
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\mcroso~1.net
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\screensavers.com
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\screensavers.com\Installer\temp\dm8CE.tmp
C:\Program Files\screensavers.com\Wallpaper\Boston Public.jpg
C:\Program Files\screensavers.com\Wallpaper\swpstart.exe
C:\Program Files\smante~1
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191426419.old
C:\WINDOWS\b104.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b128.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\mcroso~1
C:\WINDOWS\ppatch~1
C:\WINDOWS\pppatc~1
C:\WINDOWS\racle~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\crosof~1
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~2
C:\WINDOWS\system32\fnts~2\j?vaw.exe
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\instsrv.exe
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\ssembl~1\t?skmgr.exe
C:\WINDOWS\system32\wcpicomsv.exe
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\tsks~1
C:\WINDOWS\wr.txt

----- BITS: Possible infected sites -----

hxxp://windowsupdate.udayton.edu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF
-------\NPF


((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 20:48 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 23:48 . 2008-02-04 23:54 <DIR> d-------- C:\Program Files\AIM6
2008-01-21 21:54 . 2008-01-21 21:54 <DIR> d-------- C:\Program Files\WordBiz
2008-01-19 01:22 . 2007-12-03 02:10 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-01-19 01:21 . 2008-01-29 20:13 <DIR> d-------- C:\Program Files\Google
2008-01-19 01:20 . 2008-01-19 01:20 34,130,184 --a------ C:\Program Files\GoogleSketchUpWEN.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 02:07 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-12 01:11 488,144 ----a-w C:\Program Files\HJTsetup
2008-02-08 02:04 --------- d-----w C:\Documents and Settings\karasalg\Application Data\Ruckus Network
2008-02-05 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-05 04:48 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-05 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-29 16:50 --------- d-----w C:\Program Files\CUAgent
2008-01-19 06:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 23:52 --------- d--h--w C:\Documents and Settings\karasalg\Application Data\Move Networks
2007-12-18 19:06 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2005-11-03 21:46 1,453,909 ----a-w C:\Program Files\MyTunes1_2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3DDF548-69F2-697C-8B5C-31E607F20FC4}]
C:\WINDOWS\system32\bqretee.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tte"="C:\Program Files\Common Files\?ymantec\l?gonui.exe" [ ]
"Dzlumr"="C:\WINDOWS\system32\?ssembly\t?skmgr.exe" [ ]
"Dmcf"="C:\Program Files\??crosoft\?canregw.exe" [ ]
"Lywee"="C:\WINDOWS\system32\F?nts\j?vaw.exe" [ ]
"Iqqcrz"="C:\Program Files\Common Files\??mbols\??oolsv.exe" [ ]
"Vvek"="C:\Program Files\Common Files\?icrosoft\??xplore.exe" [ ]
"Mvca"="C:\Program Files\Common Files\?ssembly\m?dtc.exe" [ ]
"Rrpga"="C:\WINDOWS\system32\W?nSxS\w?nlogon.exe" [ ]
"Macaufc"="C:\Documents and Settings\karasalg\Application Data\M?crosoft\r?ndll.exe" [ ]
"Vhs"="C:\Documents and Settings\karasalg\Application Data\?ymbols\m?config.exe" [ ]
"Hxl"="C:\Program Files\Common Files\F?nts\??anregw.exe" [ ]
"Xvvzo"="C:\Program Files\Common Files\?racle\r?gedit.exe" [ ]
"Taxbe"="C:\WINDOWS\system32\F?nts\?ti2evxx.exe" [ ]
"Eseougo"="C:\Documents and Settings\karasalg\My Documents\F?nts\j?vaw.exe" [ ]
"Deya"="C:\WINDOWS\M?crosoft\??xplore.exe" [ ]
"Onuc"="C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe" [ ]
"Ojkgbwgx"="C:\Program Files\?icrosoft\m?hta.exe" [ ]
"Ivzalv"="C:\Program Files\M?crosoft.NET\w?nlogon.exe" [ ]
"Ggjpum"="C:\Documents and Settings\karasalg\Application Data\s?stem32\?hkntfs.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-29 20:13 171448]
"Lkgiuc"="C:\Program Files\a?sembly\j?vaw.exe" [ ]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]
"Hefqxb"="C:\Program Files\Common Files\??pPatch\m?iexec.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 00:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 00:38 88361 C:\WINDOWS\AGRSMMSG.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 11:31 29696 C:\WINDOWS\KHALMNPR.Exe]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2005-10-07 22:01 3032576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2005-01-24 04:04:14 35840]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-09-08 15:12:31 581632]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2005-01-25 16:18 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="ziswin.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2005-01-10 12:36 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0


.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 14:20:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 21:14:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\xmlparse.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\RSX.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\urtclsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\nwlscrpt.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
.
**************************************************************************
.
Completion time: 2008-02-11 21:20:24 - machine was rebooted [karasalg]
ComboFix-quarantined-files.txt 2008-02-12 02:20:19










Logfile of HijackThis v1.99.1
Scan saved at 8:14:16 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\RSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\urtclsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\3M\PSNLite\PsnLite.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\3M\PSNLite\PSNGive.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\a?sembly\j?vaw.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FAMTADA.EXE
C:\Documents and Settings\karasalg\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {B3DDF548-69F2-697C-8B5C-31E607F20FC4} - C:\WINDOWS\system32\bqretee.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Tte] "C:\Program Files\Common Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Dzlumr] C:\WINDOWS\system32\?ssembly\t?skmgr.exe
O4 - HKCU\..\Run: [Dmcf] "C:\Program Files\??crosoft\?canregw.exe"
O4 - HKCU\..\Run: [Lywee] C:\WINDOWS\system32\F?nts\j?vaw.exe
O4 - HKCU\..\Run: [Iqqcrz] "C:\Program Files\Common Files\??mbols\??oolsv.exe"
O4 - HKCU\..\Run: [Vvek] "C:\Program Files\Common Files\?icrosoft\??xplore.exe"
O4 - HKCU\..\Run: [Mvca] "C:\Program Files\Common Files\?ssembly\m?dtc.exe"
O4 - HKCU\..\Run: [Rrpga] C:\WINDOWS\system32\W?nSxS\w?nlogon.exe
O4 - HKCU\..\Run: [Macaufc] "C:\Documents and Settings\karasalg\Application Data\M?crosoft\r?ndll.exe"
O4 - HKCU\..\Run: [Vhs] "C:\Documents and Settings\karasalg\Application Data\?ymbols\m?config.exe"
O4 - HKCU\..\Run: [Hxl] "C:\Program Files\Common Files\F?nts\??anregw.exe"
O4 - HKCU\..\Run: [Xvvzo] "C:\Program Files\Common Files\?racle\r?gedit.exe"
O4 - HKCU\..\Run: [Taxbe] C:\WINDOWS\system32\F?nts\?ti2evxx.exe
O4 - HKCU\..\Run: [Eseougo] "C:\Documents and Settings\karasalg\My Documents\F?nts\j?vaw.exe"
O4 - HKCU\..\Run: [Deya] C:\WINDOWS\M?crosoft\??xplore.exe
O4 - HKCU\..\Run: [Onuc] "C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Ojkgbwgx] "C:\Program Files\?icrosoft\m?hta.exe"
O4 - HKCU\..\Run: [Ivzalv] "C:\Program Files\M?crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [Ggjpum] "C:\Documents and Settings\karasalg\Application Data\s?stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Lkgiuc] "C:\Program Files\a?sembly\j?vaw.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Hefqxb] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf....ler/Install.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://web-student-...du/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120154725453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120154971062
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Restart Service X (RSX) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\system32\urtclsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#4
kahdah
Posted 11 February 2008 - 09:08 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll (file missing)
O2 - BHO: (no name) - {B3DDF548-69F2-697C-8B5C-31E607F20FC4} - C:\WINDOWS\system32\bqretee.dll (file missing)
O4 - HKCU\..\Run: [Tte] "C:\Program Files\Common Files\?ymantec\l?gonui.exe"
O4 - HKCU\..\Run: [Dzlumr] C:\WINDOWS\system32\?ssembly\t?skmgr.exe
O4 - HKCU\..\Run: [Dmcf] "C:\Program Files\??crosoft\?canregw.exe"
O4 - HKCU\..\Run: [Lywee] C:\WINDOWS\system32\F?nts\j?vaw.exe
O4 - HKCU\..\Run: [Iqqcrz] "C:\Program Files\Common Files\??mbols\??oolsv.exe"
O4 - HKCU\..\Run: [Vvek] "C:\Program Files\Common Files\?icrosoft\??xplore.exe"
O4 - HKCU\..\Run: [Mvca] "C:\Program Files\Common Files\?ssembly\m?dtc.exe"
O4 - HKCU\..\Run: [Rrpga] C:\WINDOWS\system32\W?nSxS\w?nlogon.exe
O4 - HKCU\..\Run: [Macaufc] "C:\Documents and Settings\karasalg\Application Data\M?crosoft\r?ndll.exe"
O4 - HKCU\..\Run: [Vhs] "C:\Documents and Settings\karasalg\Application Data\?ymbols\m?config.exe"
O4 - HKCU\..\Run: [Hxl] "C:\Program Files\Common Files\F?nts\??anregw.exe"
O4 - HKCU\..\Run: [Xvvzo] "C:\Program Files\Common Files\?racle\r?gedit.exe"
O4 - HKCU\..\Run: [Taxbe] C:\WINDOWS\system32\F?nts\?ti2evxx.exe
O4 - HKCU\..\Run: [Eseougo] "C:\Documents and Settings\karasalg\My Documents\F?nts\j?vaw.exe"
O4 - HKCU\..\Run: [Deya] C:\WINDOWS\M?crosoft\??xplore.exe
O4 - HKCU\..\Run: [Onuc] "C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1\chkntfs.exe" -vt ndrv
O4 - HKCU\..\Run: [Ojkgbwgx] "C:\Program Files\?icrosoft\m?hta.exe"
O4 - HKCU\..\Run: [Ivzalv] "C:\Program Files\M?crosoft.NET\w?nlogon.exe"
O4 - HKCU\..\Run: [Ggjpum] "C:\Documents and Settings\karasalg\Application Data\s?stem32\?hkntfs.exe"
O4 - HKCU\..\Run: [Lkgiuc] "C:\Program Files\a?sembly\j?vaw.exe"
O4 - HKCU\..\Run: [Hefqxb] "C:\Program Files\Common Files\??pPatch\m?iexec.exe"
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com



Now click on Fix Checked and then close Hijackthis.
============================================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
C:\DOCUME~1\karasalg\MYDOCU~1\SCURIT~1
C:\Program Files\asembl~1
C:\Program Files\WinBudget
C:\Program Files\Viewpoint
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=""
Driver::
Viewpoint Manager Service


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
===========================================
Also You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.
  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 1, then press Enter
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#5
AGK112586
Posted 11 February 2008 - 09:52 PM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Thanks for all your help so far!






Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Mon 02/11/2008
The current time is: 22:46:17.64


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

12/08/2004 05:50 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\APOINT2K\BAK

06/18/2003 01:44 AM 151,552 Apoint.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\EZBUTTON\BAK

01/02/2005 11:21 PM 417,792 EzButton.EXE
1 File(s) 417,792 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\LTMOH\BAK

04/28/2003 02:08 AM 184,320 Ltmoh.exe
1 File(s) 184,320 bytes

Directory of C:\PROGRA~1\PCOUNTER\BAK

08/05/2002 01:43 PM 67,584 WBALANCE.EXE
1 File(s) 67,584 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\STORAG~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 06:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/17/2004 01:27 PM 32,859 dpmw32.exe
11/01/2004 07:59 PM 126,976 hkcmd.exe
11/01/2004 09:03 PM 155,648 igfxtray.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
01/17/2005 10:33 AM 40,960 zentray.exe
5 File(s) 512,091 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 08:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/15/2004 12:07 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

03/30/2004 09:12 PM 118,784 mm_tray.exe
03/30/2004 09:12 PM 53,248 mmtask.exe
2 File(s) 172,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/30/2005 12:15 PM 151,552 realsched.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/15/2004 10:31 AM 356,352 EOUWiz.exe
10/15/2004 10:27 AM 385,024 ifrmewrk.exe
2 File(s) 741,376 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/03/2005 02:52 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 03:00 AM 98,304 E_FATI9AA.EXE
02/01/2005 10:00 PM 98,304 E_FATIADA.EXE
2 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Jan 21 2005 "C:\Misc\AIM\v5.9\aim.exe"
67160 Dec 8 2004 "C:\Program Files\AIM\bak\aim.exe"
151552 Jun 18 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
151552 Jun 18 2003 "C:\Misc\Drivers\TouchPad\Alps\5.3.204.5\Apoint.exe"
417792 Jan 2 2005 "C:\Program Files\EzButton\bak\EzButton.EXE"
417792 Jan 2 2005 "C:\Misc\Drivers\Easy Button\V1.000\EzButton.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 14 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Nov 14 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
184320 Apr 28 2003 "C:\Program Files\ltmoh\bak\Ltmoh.exe"
184320 Apr 28 2003 "C:\Misc\Drivers\Modem\Agere AC97\V2.1.46\LtMoh.exe"
67584 Aug 5 2002 "C:\Program Files\PCounter\bak\WBALANCE.EXE"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
32859 May 17 2004 "C:\WINDOWS\system32\bak\dpmw32.exe"
32859 May 17 2004 "C:\Misc\Novell\Client32\Build20051209_v0602_ClientOnly_C\redir\dpmw32.exe"
32859 May 17 2004 "C:\Misc\Novell\Client32\v0503\redir\dpmw32.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
126976 Nov 1 2004 "C:\Misc\Drivers\Video\Intel\14.9.0.3943\Win2000\hkcmd.exe"
155648 Nov 1 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Nov 1 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
155648 Nov 1 2004 "C:\Misc\Drivers\Video\Intel\14.9.0.3943\Win2000\igfxtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
40960 Jan 17 2005 "C:\WINDOWS\system32\bak\zentray.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Jul 15 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
53248 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
118784 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
118784 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
151552 Jun 30 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
356352 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe"
385024 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx460035df\E_FATI9AA.EXE"
98304 Feb 1 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx4800f6be\E_FATIADA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"
98304 Feb 1 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIADA.EXE"


end of report






ComboFix 08-02-12.1 - karasalg 2008-02-11 22:24:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT -5:00]
Running from: C:\Documents and Settings\karasalg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\karasalg\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Common\VistaBoot.sdll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentMgr_0305001C.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLArt.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\DataTracking.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\GifReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\LensFlares.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ObjectMovie.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ServiceComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VectorView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPAudio.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPExtras.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\ZoomView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VETScriptInterpreter.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.xpt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_VIEWPOINT_MANAGER_SERVICE
-------\Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-11 20:48 . 2004-08-03 23:56 388,608 --a------ C:\kmd.exe
2008-02-04 23:48 . 2008-02-04 23:54 <DIR> d-------- C:\Program Files\AIM6
2008-01-21 21:54 . 2008-01-21 21:54 <DIR> d-------- C:\Program Files\WordBiz
2008-01-19 01:22 . 2007-12-03 02:10 644,400 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-01-19 01:21 . 2008-01-29 20:13 <DIR> d-------- C:\Program Files\Google
2008-01-19 01:20 . 2008-01-19 01:20 34,130,184 --a------ C:\Program Files\GoogleSketchUpWEN.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-12 03:37 --------- d-----w C:\Program Files\CUAgent
2008-02-12 03:35 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-12 01:11 488,144 ----a-w C:\Program Files\HJTsetup
2008-02-08 02:04 --------- d-----w C:\Documents and Settings\karasalg\Application Data\Ruckus Network
2008-02-05 04:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-02-05 04:48 --------- d-----w C:\Program Files\Common Files\AOL
2008-02-05 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-01-19 06:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-16 23:52 --------- d--h--w C:\Documents and Settings\karasalg\Application Data\Move Networks
2007-12-18 19:06 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 19:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2005-11-03 21:46 1,453,909 ----a-w C:\Program Files\MyTunes1_2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-29 20:13 171448]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 11:15 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-08-30 00:48 69632 C:\WINDOWS\SOUNDMAN.EXE]
"AGRSMMSG"="AGRSMMSG.exe" [2004-07-22 00:38 88361 C:\WINDOWS\AGRSMMSG.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 10:37 28672 C:\WINDOWS\system32\nwtray.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-06-08 11:31 29696 C:\WINDOWS\KHALMNPR.Exe]
"StrgSync.exe"="C:\Program Files\StorageSync\StrgSync.exe" [2005-10-07 22:01 3032576]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26 29696]
Application Explorer.lnk - C:\Program Files\Novell\ZENworks\NalView.exe [2005-01-24 04:04:14 35840]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\KEM.exe [2005-09-08 15:12:31 581632]
Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-10-15 14:26:54 2080768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= C:\Program Files\Novell\ZENworks\NalShell.dll [2005-01-25 16:18 417792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 10:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
C:\WINDOWS\system32\Novell\XtNotify.dll 2005-01-10 12:36 24576 C:\WINDOWS\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

R1 nipplpt;Novell iCapture Lpt Redirector;C:\WINDOWS\system32\drivers\nipplpt.sys [2004-01-07 09:03]
R2 BlankScr;HBDevice;C:\WINDOWS\system32\drivers\BlankScr.sys [2005-01-17 11:23]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2004-11-22 12:07]
R2 RSX;Restart Service X;C:\WINDOWS\system32\srvany.exe [1999-12-21 06:59]
R2 urtclientservice;URT Client Service;C:\WINDOWS\system32\urtclsvc.exe [2004-03-31 18:01]
R2 XTAgent;Novell XTier Agent Services;C:\WINDOWS\System32\Novell\XTAgent.exe [2005-01-10 12:36]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-06 14:20:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-11 22:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\RSX.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2008-02-11 22:42:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 03:42:18
ComboFix2.txt 2008-02-12 02:20:24






Logfile of HijackThis v1.99.1
Scan saved at 10:50:55 PM, on 2/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\RSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\urtclsvc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\karasalg\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf....ler/Install.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://web-student-...du/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120154725453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120154971062
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Restart Service X (RSX) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\system32\urtclsvc.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#6
kahdah
Posted 11 February 2008 - 10:27 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
You are welcome :)

  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    Insert Files to be moved

    "C:\Program Files\AIM\bak\aim.exe"
    "C:\Program Files\Apoint2K\bak\Apoint.exe"
    "C:\Program Files\EzButton\bak\EzButton.EXE"
    "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\Program Files\ltmoh\bak\Ltmoh.exe"
    "C:\Program Files\PCounter\bak\WBALANCE.EXE"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
    "C:\WINDOWS\system32\bak\dpmw32.exe"
    "C:\WINDOWS\system32\bak\hkcmd.exe"
    "C:\WINDOWS\system32\bak\igfxtray.exe"
    "C:\WINDOWS\system32\bak\NeroCheck.exe"
    "C:\WINDOWS\system32\bak\zentray.exe"
    "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
    "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    "C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe"
    "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
    "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"
    "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIADA.EXE"

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 2, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
  • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
  • The program will proceed to move the legit files and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#7
AGK112586
Posted 11 February 2008 - 10:41 PM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/11/2008
The current time is: 23:36:56.21


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

12/08/2004 05:50 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\APOINT2K\BAK

06/18/2003 01:44 AM 151,552 Apoint.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\EZBUTTON\BAK

01/02/2005 11:21 PM 417,792 EzButton.EXE
1 File(s) 417,792 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\LTMOH\BAK

04/28/2003 02:08 AM 184,320 Ltmoh.exe
1 File(s) 184,320 bytes

Directory of C:\PROGRA~1\PCOUNTER\BAK

08/05/2002 01:43 PM 67,584 WBALANCE.EXE
1 File(s) 67,584 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\STORAG~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

06/23/2005 06:27 PM 85,696 VPTray.exe
1 File(s) 85,696 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

05/17/2004 01:27 PM 32,859 dpmw32.exe
11/01/2004 07:59 PM 126,976 hkcmd.exe
11/01/2004 09:03 PM 155,648 igfxtray.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
01/17/2005 10:33 AM 40,960 zentray.exe
5 File(s) 512,091 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

06/02/2005 08:21 AM 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

07/15/2004 12:07 AM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~2\BAK

03/30/2004 09:12 PM 118,784 mm_tray.exe
03/30/2004 09:12 PM 53,248 mmtask.exe
2 File(s) 172,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/30/2005 12:15 PM 151,552 realsched.exe
1 File(s) 151,552 bytes

Directory of C:\PROGRA~1\INTEL\WIRELESS\BIN\BAK

10/15/2004 10:31 AM 356,352 EOUWiz.exe
10/15/2004 10:27 AM 385,024 ifrmewrk.exe
2 File(s) 741,376 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/03/2005 02:52 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004 03:00 AM 98,304 E_FATI9AA.EXE
02/01/2005 10:00 PM 98,304 E_FATIADA.EXE
2 File(s) 196,608 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Dec 8 2004 "C:\Program Files\AIM\aim.exe"
67160 Jan 21 2005 "C:\Misc\AIM\v5.9\aim.exe"
67160 Dec 8 2004 "C:\Program Files\AIM\bak\aim.exe"
151552 Jun 18 2003 "C:\Program Files\Apoint2K\Apoint.exe"
151552 Jun 18 2003 "C:\Program Files\Apoint2K\bak\Apoint.exe"
151552 Jun 18 2003 "C:\Misc\Drivers\TouchPad\Alps\5.3.204.5\Apoint.exe"
417792 Jan 2 2005 "C:\Program Files\EzButton\EzButton.EXE"
417792 Jan 2 2005 "C:\Program Files\EzButton\bak\EzButton.EXE"
417792 Jan 2 2005 "C:\Misc\Drivers\Easy Button\V1.000\EzButton.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 14 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Nov 14 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
184320 Apr 28 2003 "C:\Program Files\ltmoh\Ltmoh.exe"
184320 Apr 28 2003 "C:\Program Files\ltmoh\bak\Ltmoh.exe"
184320 Apr 28 2003 "C:\Misc\Drivers\Modem\Agere AC97\V2.1.46\LtMoh.exe"
67584 Aug 5 2002 "C:\Program Files\PCounter\WBALANCE.EXE"
67584 Aug 5 2002 "C:\Program Files\PCounter\bak\WBALANCE.EXE"
282624 Oct 25 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
32859 May 17 2004 "C:\WINDOWS\system32\dpmw32.exe"
32859 May 17 2004 "C:\WINDOWS\system32\bak\dpmw32.exe"
32859 May 17 2004 "C:\Misc\Novell\Client32\Build20051209_v0602_ClientOnly_C\redir\dpmw32.exe"
32859 May 17 2004 "C:\Misc\Novell\Client32\v0503\redir\dpmw32.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
126976 Nov 1 2004 "C:\Misc\Drivers\Video\Intel\14.9.0.3943\Win2000\hkcmd.exe"
155648 Nov 1 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Nov 1 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Nov 1 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\igfxtray.exe"
155648 Nov 1 2004 "C:\Misc\Drivers\Video\Intel\14.9.0.3943\Win2000\igfxtray.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
40960 Jan 17 2005 "C:\WINDOWS\system32\zentray.exe"
40960 Jan 17 2005 "C:\WINDOWS\system32\bak\zentray.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
32768 Jul 15 2004 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Jul 15 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
53248 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
53248 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
118784 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
118784 Mar 30 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
151552 Jun 30 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151552 Jun 30 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
356352 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
356352 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe"
385024 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe"
385024 Oct 15 2004 "C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9AA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx460035df\E_FATI9AA.EXE"
98304 Feb 1 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx4800f6be\E_FATIADA.EXE"
98304 Mar 4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATI9AA.EXE"
98304 Feb 1 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIADA.EXE"
98304 Feb 1 2005 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_FATIADA.EXE"


end of report
  • 0

#8
kahdah
Posted 11 February 2008 - 10:46 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Program Files\AIM\bak
    C:\Program Files\Apoint2K\bak
    C:\Program Files\EzButton\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\ltmoh\bak
    C:\Program Files\PCounter\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\Symantec AntiVirus\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\Common Files\Symantec Shared\bak
    C:\Program Files\CyberLink\PowerDVD\bak
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
    C:\Program Files\Common Files\Real\Update_OB\bak
    C:\Program Files\Intel\Wireless\Bin\bak
    C:\Program Files\Java\jre1.5.0_04\bin\bak
    C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

  • Double-click on the FindAWF.exe file to run it.
  • It will open a command prompt and ask you to "Press any key to continue".
  • You will be presented with a Menu.

    1. Press 1 then Enter to scan for bak folders
    2. Press 2 then Enter to restore files from bak folders
    3. Press 3 then Enter to remove bak folders
    4. Press 4 then Enter to reset domain zones
    5. Press E then Enter to EXIT

  • Press 3, then press Enter.
  • Press any key to continue.
  • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
  • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
  • The program will proceed to remove the bad folders and will perform another scan for .bak folder
  • It may take a few minutes to complete so be patient.
  • When it is complete, it will open a text file in notepad called AWF.txt.
  • Please copy and paste the contents of the AWF.txt file in your next reply.

  • 0

#9
AGK112586
Posted 11 February 2008 - 10:50 PM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 02/11/2008
The current time is: 23:47:59.07


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\STORAG~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

11/01/2004 07:59 PM 126,976 hkcmd.exe
1 File(s) 126,976 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

126976 Nov 1 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 1 2004 "C:\WINDOWS\system32\ReinstallBackups\0012\DriverFiles\hkcmd.exe"
126976 Nov 1 2004 "C:\Misc\Drivers\Video\Intel\14.9.0.3943\Win2000\hkcmd.exe"


end of report
  • 0

#10
kahdah
Posted 11 February 2008 - 10:54 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\PROGRA~1\STORAG~1\BAK
C:\WINDOWS\system32\bak
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
After that please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

Advertisements

#11
AGK112586
Posted 12 February 2008 - 01:02 AM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Incident Status Location

Adware:adware/wupd Not disinfected Windows Registry
Adware:Adware/Yazzle Not disinfected C:\1074.tmp
Adware:Adware/Adband Not disinfected C:\1075.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.ad.yieldmanager.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.overture.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.adserver.easyad.info/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.com.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.go.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\karasalg\Application Data\Mozilla\Firefox\Profiles\8xcvwnx7.default\cookies.txt[.atwola.com/]
Hacktool:Exploit/Gimsh.B Not disinfected C:\Documents and Settings\karasalg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-22e45ba7.zip[vmain.class]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][1].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@apmebf[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@atwola[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@bravenet[2].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@burstnet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@com[1].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@fortunecity[1].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@go[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@realmedia[2].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\karasalg\Cookies\karasalg@statcounter[1].txt
Spyware:Cookie/Clicktracks Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\karasalg\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\karasalg\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\karasalg\Desktop\ComboFix.exe[327882R2FWJFW\nircmd.cfexe]
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@enhance[2].txt
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Documents and Settings\karasalg\My Documents\SCURIT~1\chkntfs.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\MBOLS~1\??oolsv.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\Program Files\CROSOF~1\?canregw.exe.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir[UE.exe]
Adware:Adware/Comet Not disinfected C:\QooBox\Quarantine\C\Program Files\Screensavers.com\Installer\bin\siuninst.exe.vir
Virus:Generic Trojan Disinfected C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b128.exe.vir
Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\C\WINDOWS\b136.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\FNTS~2\j?vaw.exe.vir
Adware:Adware/PurityScan Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\SSEMBL~1\t?skmgr.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\Nircmd.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\crhfms.dll
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\frps.dll










C:\PROGRA~1\STORAG~1\BAK moved successfully.
C:\WINDOWS\system32\bak moved successfully.

OTMoveIt2 v1.0.19 log created on 02112008_235958
  • 0

#12
kahdah
Posted 12 February 2008 - 03:14 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
================================================================
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\1074.tmp 
C:\1075.tmp 
C:\WINDOWS\system32\crhfms.dll 
C:\WINDOWS\system32\frps.dll 
C:\Documents and Settings\karasalg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-22e45ba7.zip
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
===========================
Post a new Hijackthis log and the ot move it log and we are a few steps from being done. :)
  • 0

#13
AGK112586
Posted 12 February 2008 - 07:20 AM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
C:\1074.tmp moved successfully.
C:\1075.tmp moved successfully.
C:\WINDOWS\system32\crhfms.dll unregistered successfully.
C:\WINDOWS\system32\crhfms.dll moved successfully.
C:\WINDOWS\system32\frps.dll unregistered successfully.
C:\WINDOWS\system32\frps.dll moved successfully.
File/Folder C:\Documents and Settings\karasalg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-22e45ba7.zip not found.

OTMoveIt2 v1.0.19 log created on 02122008_081800




Logfile of HijackThis v1.99.1
Scan saved at 8:19:53 AM, on 2/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\RSX.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\urtclsvc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\StorageSync\StrgSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\karasalg\Desktop\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [StrgSync.exe] C:\Program Files\StorageSync\StrgSync.exe -w
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NalView.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://quickplace.udayton.edu/qp2.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540012} (CInstall Class) - http://www.funnytaf....ler/Install.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://web-student-...du/iNotes6W.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120154725453
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120154971062
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D0B5B58D-8CB9-4EDB-8BB0-9D34AEF727CF} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontec...2ie06101001.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = udayton.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = udayton.edu
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: NetIdentity Notification - C:\WINDOWS\system32\Novell\XtNotify.dll
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Restart Service X (RSX) - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: URT Client Service (urtclientservice) - Unknown owner - C:\WINDOWS\system32\urtclsvc.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#14
kahdah
Posted 12 February 2008 - 07:34 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
One more thing I would like to check

Please submit the following file to one of these online file scanners.
(All you have to do is copy and paste it in)

C:\WINDOWS\system32\srvany.exe

Jotti File Scan
VirusTotal File Scan

This will produce a report after the scan is complete, please copy and paste those results in your next post.
  • 0

#15
AGK112586
Posted 12 February 2008 - 10:31 PM

AGK112586

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Last file scanned at least one scanner reported something about: secure.exe (MD5: 9f046a0b6f5e37efe4ec79ade3e4b9cf, size: 1790976 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir SPR/Fake.FilesSec.A
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus not-a-virus:FraudTool.Win32.IeDefender.bm (6, 2, 616)
Fortinet X
Ikarus X
Kaspersky Anti-Virus not-a-virus:FraudTool.Win32.IeDefender.bm
NOD32 X
Norman Virus Control X
Panda Antivirus X
Rising Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP