[marveilleblanche]

Recently I noticed that I have hundreds of temp files starting with pos in my "my documents" folder that can not be deleted. There was a red x by my C:/ but I fixed that myself. Here is a HiJack This Log. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:35, on 2008-02-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {5D5E7F40-CF2B-4D6D-BD5A-6ECE68831D6D} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\prmezihk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: prmezihk - prmezihk.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4902 bytes

[Advertisements]

Hi and welcome, lets see if we can give you back control of your computer. This is a long fix so I would recommend copying to a text file for reference

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {5D5E7F40-CF2B-4D6D-BD5A-6ECE68831D6D} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\prmezihk.dll (file missing)
O20 - Winlogon Notify: prmezihk - prmezihk.dll (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off
sc stop MSControlService
sc delete MSControlService
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\awtss.dll 
  C:\WINDOWS\system32\prmezihk.dll

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\pos*.tmp /s

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[Essexboy]

Hi and welcome, lets see if we can give you back control of your computer. This is a long fix so I would recommend copying to a text file for reference

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {5D5E7F40-CF2B-4D6D-BD5A-6ECE68831D6D} - C:\WINDOWS\system32\awtss.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\prmezihk.dll (file missing)
O20 - Winlogon Notify: prmezihk - prmezihk.dll (file missing)
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)


Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

@echo off
sc stop MSControlService
sc delete MSControlService
exit

Next you will need to create the batch fix to do that copy and paste ALL of the above in the quote box to a notepad file.
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat

This will create a batch file

Then run fix.bat by double clicking you may see a black box appear this is normal

NEXT

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\system32\awtss.dll 
  C:\WINDOWS\system32\prmezihk.dll

• Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.
  
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\pos*.tmp /s

• Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

FINALLY FOR NOW

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

• Please, never rename Combofix unless instructed.
• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  

  -----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    

    -----------------------------------------------------------

  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

  -----------------------------------------------------------

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

[marveilleblanche]

Okay, I did OTMovieIt2 and followed all the commands. As the log was being produced it stopped responding. But it said that all the pos files were moved successfully... If that means anything. And now they're all gone from my My Documents - ah, you're amazing. OKay, ComboFix and I have had a few run ins, so I will do this when I have a little bit longer. Thank you!!

Edited by marveilleblanche, 20 February 2008 - 06:42 PM.

[marveilleblanche]

ComboFix will run in the morning while I am busy. I do have one already on my desktop, so I should just delete it right? It doesn't have to be uninstalled from my system?

[Essexboy]

Yes just delete the old version

[marveilleblanche]

ComboFix 08-02-22 - Owner 2008-02-21 8:15:28.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\system32\prmezihk.dllbox
.
---- Previous Run -------
.
C:\WINDOWS\system32\cbxwxwx.dll
C:\WINDOWS\system32\ssttt.dll
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\AVSystemCare.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\Contact Customer Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\AVSystemCare\Uninstall AVSystemCare.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\AVSystemCare
C:\Documents and Settings\Owner\Application Data\AVSystemCare\avtasks.dat
C:\Documents and Settings\Owner\Application Data\AVSystemCare\Logs\av.log
C:\Documents and Settings\Owner\Application Data\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\Owner\Application Data\AVSystemCare\Logs\update.log
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\Common Files\AVSystemCare
C:\Program Files\Common Files\AVSystemCare\bm.exe
C:\Program Files\Common Files\AVSystemCare\ugcw.exe
C:\Program Files\Messenger\lacuryh.dll
C:\Program Files\MSN\jaruzyh89104.dll
C:\Program Files\Router
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\InsiDERIns.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\UGA6P
C:\WINDOWS\b116.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\b153.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\agrggwcy.ini
C:\WINDOWS\system32\cbxwxwx.dll
C:\WINDOWS\system32\ddycvmhv.dll
C:\WINDOWS\system32\drivers\fmtr.sys
C:\WINDOWS\system32\eniixybn.dll
C:\WINDOWS\system32\jstsjaly.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mooejrjv.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\p9
C:\WINDOWS\system32\p9\liopud89104.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnnkif.dll
C:\WINDOWS\system32\prmezihk.dll
C:\WINDOWS\system32\prmezihk.dll . . . . failed to delete
C:\WINDOWS\system32\prmezihk.dllbox
C:\WINDOWS\system32\rcbdyct22.dll
C:\WINDOWS\system32\rspossuj.dll
C:\WINDOWS\system32\ssttt.dll
C:\WINDOWS\system32\sstwa.ini
C:\WINDOWS\system32\sstwa.ini2
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\w11
C:\WINDOWS\system32\w11\hiba3133.exe
C:\WINDOWS\system32\wdiges9.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\ycwggrga.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\troy44.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-20 07:38 . 2008-02-20 07:38 <DIR> d-------- C:\_OTMoveIt
2008-02-19 15:24 . 2008-02-19 15:31 <DIR> d-------- C:\Program Files\SpyZooka
2008-02-19 15:13 . 2008-02-19 15:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-02-19 12:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-21 08:37 --------- d-----w C:\Program Files\Coloreal
2008-02-20 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-19 20:24 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-02-19 11:58 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-13 11:53 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-13 11:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 11:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 11:52 --------- d-----w C:\Program Files\Symantec
2008-01-04 21:37 --------- d-----w C:\Program Files\iTunes
2008-01-04 21:31 --------- d-----w C:\Program Files\QuickTime
2008-01-04 20:44 114,688 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 13:10 20,480 ----a-w C:\WINDOWS\quit.exe
2008-01-01 17:51 --------- d-----w C:\Program Files\WildTangent
2008-01-01 17:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\SpywareBot
2008-01-01 16:12 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-01 15:38 18,432 ----a-w C:\WINDOWS\fkwggshm.exe
2008-01-01 15:25 550,912 ----a-w C:\WINDOWS\system32\mwinsmdq.exe
2008-01-01 15:25 431,104 ----a-w C:\WINDOWS\system32\ps2.exe
2008-01-01 15:24 440,832 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-01 15:20 10 ----a-w C:\Program Files\.autoreg
2008-01-01 15:03 --------- d-----w C:\Program Files\AWS
2007-12-31 23:36 --------- d-----w C:\Program Files\iPod
2007-12-25 15:19 --------- d-----w C:\Program Files\Common Files\Sony Shared
2007-12-25 15:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-24 21:05 --------- d-----w C:\Program Files\WindSolutions
2007-12-23 23:56 --------- d-----w C:\Program Files\Picasa2
2007-12-22 02:36 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-22 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2007-12-22 02:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-22 01:27 --------- d-----w C:\Program Files\Hewlett-Packard
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-03 10:25 73,280 ----a-w C:\WINDOWS\system32\amwwukpa.dll
.

<pre>
----a-w		   155,648 2008-01-01 17:39:16  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
</pre>

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2001-07-07 04:56:56 C:\hp\KBD\bak\KBD.EXE
----a-w 410,624 2008-01-01 15:24:55 C:\hp\KBD\KBD.EXE

----a-w 315,392 2003-01-25 01:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 131,072 2002-11-27 01:14:24 C:\Program Files\Coloreal\bak\coloreal.exe
----a-w 131,072 2008-01-04 20:44:16 C:\Program Files\Coloreal\coloreal.exe

----a-w 151,597 2003-01-24 15:27:36 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2008-01-04 18:01:38 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 54,976 2002-11-15 10:29:06 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 59,072 2002-11-15 10:29:48 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe

----a-w 6,731,312 2007-09-05 19:24:34 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe

----a-w 1,511,453 2002-08-21 06:08:38 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\msmsgs.exe

----a-w 476,792 2002-11-15 15:08:08 C:\Program Files\Norton AntiVirus\bak\Cfgwiz.exe

----a-w 1,318,912 2007-06-21 18:06:28 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe
----a-w 1,318,912 2008-01-04 20:44:23 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

----a-w 155,648 2002-06-18 15:01:00 C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe

----a-w 90,112 2000-05-11 05:00:00 C:\WINDOWS\bak\UpdReg.EXE
----a-w 440,832 2008-01-01 15:24:59 C:\WINDOWS\UpdReg.EXE

----a-w 212,992 2002-09-14 05:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 212,992 2002-09-14 05:42:26 C:\WINDOWS\SMINST\Recguard.exe

----a-w 182 2007-09-25 19:38:12 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 245 2008-01-01 15:19:47 C:\WINDOWS\system\hpsysdrv.dat

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 401,920 2008-01-01 15:24:54 C:\WINDOWS\system\hpsysdrv.exe

----a-w 114,688 2002-10-16 14:05:58 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 114,688 2008-01-04 20:44:15 C:\WINDOWS\system32\hkcmd.exe

----a-w 81,920 2002-08-01 03:28:38 C:\WINDOWS\system32\bak\ps2.exe
----a-w 431,104 2008-01-01 15:25:00 C:\WINDOWS\system32\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-04 15:44 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-04 15:44 114688]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [2008-01-04 15:44 131072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-04 15:44 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-08 07:33:12 124400]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 18:43:32 487487]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

S3 msCMTSrvc;Content Monitoring Tool;C:\WINDOWS\system32\msCMTSrvc.exe [2002-03-27 06:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 20:17:15 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-01-25 23:28:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-12 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot .ex
- C:\Program Files\SpywareBot
"2007-08-12 23:45:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-22 08:20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-22 8:22:14
ComboFix-quarantined-files.txt 2008-02-22 13:21:41
ComboFix2.txt 2008-01-04 21:43:55
.
2008-02-14 03:14:13 --- E O F ---

[Essexboy]

Ok that is infected

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Renv::
<pre>
----a-w		   155,648 2008-01-01 17:39:16  C:\Program Files\VERITAS Software\Update Manager\sgtray .exe
</pre>

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

NEXT
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[marveilleblanche]

ComboFix 08-02-23.2 - Owner 2008-02-23 11:01:00.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-23 to 2008-02-23 )))))))))))))))))))))))))))))))
.

2008-02-20 07:38 . 2008-02-20 07:38 <DIR> d-------- C:\_OTMoveIt
2008-02-19 15:24 . 2008-02-19 15:31 <DIR> d-------- C:\Program Files\SpyZooka
2008-02-19 15:13 . 2008-02-19 15:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AdwareAlert
2008-02-19 12:47 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-23 23:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-23 23:37 --------- d-----w C:\Program Files\Coloreal
2008-02-19 20:24 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-02-19 11:58 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-02-13 11:53 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-13 11:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-13 11:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-13 11:52 --------- d-----w C:\Program Files\Symantec
2008-01-04 21:37 --------- d-----w C:\Program Files\iTunes
2008-01-04 21:31 --------- d-----w C:\Program Files\QuickTime
2008-01-04 20:44 114,688 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-03 13:10 20,480 ----a-w C:\WINDOWS\quit.exe
2008-01-01 17:51 --------- d-----w C:\Program Files\WildTangent
2008-01-01 17:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\SpywareBot
2008-01-01 16:12 24,576 ----a-w C:\WINDOWS\system32\VundoFixSVC.exe
2008-01-01 15:38 18,432 ----a-w C:\WINDOWS\fkwggshm.exe
2008-01-01 15:25 550,912 ----a-w C:\WINDOWS\system32\mwinsmdq.exe
2008-01-01 15:25 431,104 ----a-w C:\WINDOWS\system32\ps2.exe
2008-01-01 15:24 440,832 ----a-w C:\WINDOWS\UpdReg.EXE
2008-01-01 15:20 10 ----a-w C:\Program Files\.autoreg
2008-01-01 15:03 --------- d-----w C:\Program Files\AWS
2007-12-31 23:36 --------- d-----w C:\Program Files\iPod
2007-12-25 15:19 --------- d-----w C:\Program Files\Common Files\Sony Shared
2007-12-25 15:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-25 15:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2007-12-24 21:05 --------- d-----w C:\Program Files\WindSolutions
2007-12-23 23:56 --------- d-----w C:\Program Files\Picasa2
2007-12-21 04:11 81,920 ----a-w C:\WINDOWS\system32\IEDFix.exe
2007-12-07 01:07 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-03 10:25 73,280 ----a-w C:\WINDOWS\system32\amwwukpa.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2001-07-07 04:56:56 C:\hp\KBD\bak\KBD.EXE
----a-w 410,624 2008-01-01 15:24:55 C:\hp\KBD\KBD.EXE

----a-w 315,392 2003-01-25 01:00:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe

----a-w 131,072 2002-11-27 01:14:24 C:\Program Files\Coloreal\bak\coloreal.exe
----a-w 131,072 2008-01-04 20:44:16 C:\Program Files\Coloreal\coloreal.exe

----a-w 151,597 2003-01-24 15:27:36 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2008-01-04 18:01:38 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 54,976 2002-11-15 10:29:06 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 59,072 2002-11-15 10:29:48 C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe

----a-w 6,731,312 2007-09-05 19:24:34 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe

----a-w 1,511,453 2002-08-21 06:08:38 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 1,694,208 2004-10-13 16:24:37 C:\Program Files\Messenger\msmsgs.exe

----a-w 476,792 2002-11-15 15:08:08 C:\Program Files\Norton AntiVirus\bak\Cfgwiz.exe

----a-w 1,318,912 2007-06-21 18:06:28 C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe
----a-w 1,318,912 2008-01-04 20:44:23 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

----a-w 155,648 2002-06-18 15:01:00 C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe
----a-w 155,648 2008-01-01 17:39:16 C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

----a-w 90,112 2000-05-11 05:00:00 C:\WINDOWS\bak\UpdReg.EXE
----a-w 440,832 2008-01-01 15:24:59 C:\WINDOWS\UpdReg.EXE

----a-w 212,992 2002-09-14 05:42:26 C:\WINDOWS\SMINST\bak\RECGUARD.EXE
----a-w 212,992 2002-09-14 05:42:26 C:\WINDOWS\SMINST\Recguard.exe

----a-w 182 2007-09-25 19:38:12 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 245 2008-01-01 15:19:47 C:\WINDOWS\system\hpsysdrv.dat

----a-w 52,736 1998-05-08 00:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 401,920 2008-01-01 15:24:54 C:\WINDOWS\system\hpsysdrv.exe

----a-w 114,688 2002-10-16 14:05:58 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 114,688 2008-01-04 20:44:15 C:\WINDOWS\system32\hkcmd.exe

----a-w 81,920 2002-08-01 03:28:38 C:\WINDOWS\system32\bak\ps2.exe
----a-w 431,104 2008-01-01 15:25:00 C:\WINDOWS\system32\ps2.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-04 15:44 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2008-01-04 15:44 114688]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [2008-01-04 15:44 131072]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-04 15:44 267048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-08 07:33:12 124400]
HPAiODevice(hp officejet v series) - 1.lnk - C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe [2002-04-25 18:43:32 487487]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\iTunes\\iTunes.exe"=

S3 msCMTSrvc;Content Monitoring Tool;C:\WINDOWS\system32\msCMTSrvc.exe [2002-03-27 06:42]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 20:17:15 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-02-22 23:28:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-12 08:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot .ex
- C:\Program Files\SpywareBot
"2007-08-12 23:45:09 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 11:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 11:07:18
ComboFix-quarantined-files.txt 2008-02-23 16:07:03
ComboFix2.txt 2008-02-22 13:22:14
ComboFix3.txt 2008-01-04 21:43:55
.
2008-02-14 03:14:13 --- E O F ---




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09, on 2008-02-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 4498 bytes

[marveilleblanche]

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-02-23
The current time is: 11:10:37.26


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

2000-05-11 00:00 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\HP\KBD\BAK

2001-07-06 23:56 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\COLOREAL\BAK

2002-11-26 20:14 131,072 coloreal.exe
1 File(s) 131,072 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

2002-08-21 01:08 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

2002-11-15 10:08 476,792 Cfgwiz.exe
1 File(s) 476,792 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

2007-06-21 13:06 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\WINDOWS\SMINST\BAK

2002-09-14 00:42 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

2007-09-25 14:38 182 hpsysdrv.DAT
1998-05-07 19:04 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2002-10-16 09:05 114,688 hkcmd.exe
2002-07-31 22:28 81,920 ps2.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

2003-01-24 20:00 315,392 atiptaxx.exe
1 File(s) 315,392 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2002-11-15 05:29 54,976 ccApp.exe
2002-11-15 05:29 59,072 ccRegVfy.exe
2 File(s) 114,048 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

2007-09-05 14:24 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\VERITA~1\UPDATE~1\BAK

2002-06-18 10:01 155,648 sgtray.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2003-01-24 10:27 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\PROGRAM\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

440832 Jan 1 2008 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
410624 Jan 1 2008 "C:\hp\KBD\KBD.EXE"
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
131072 Jan 4 2008 "C:\Program Files\Coloreal\coloreal.exe"
131072 Nov 26 2002 "C:\Program Files\Coloreal\bak\coloreal.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1511453 Aug 21 2002 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
476792 Nov 15 2002 "C:\Program Files\Norton AntiVirus\bak\Cfgwiz.exe"
1318912 Jan 4 2008 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
5914648 Dec 20 2007 "C:\Documents and Settings\Family of 5.AMBROZ5\Desktop\SUPERAntiSpyware.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\Recguard.exe"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
245 Jan 1 2008 "C:\WINDOWS\system\hpsysdrv.dat"
182 Sep 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
401920 Jan 1 2008 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 Jan 4 2008 "C:\WINDOWS\system32\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
431104 Jan 1 2008 "C:\WINDOWS\system32\ps2.exe"
81920 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
315392 Jan 24 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
54976 Nov 15 2002 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
59072 Nov 15 2002 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
6731312 Sep 5 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
155648 Jan 1 2008 "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe"
155648 Jun 18 2002 "C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
151597 Jan 4 2008 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Jan 24 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

[Essexboy]

Hi marveilleblanche this needs to be done fairly fast before the trojan spreads to other files

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  "C:\WINDOWS\bak\UpdReg.EXE"
  "C:\hp\KBD\bak\KBD.EXE"
  "C:\Program Files\Coloreal\bak\coloreal.exe"
  "C:\Program Files\Messenger\bak\msmsgs.exe"
  "C:\Program Files\Norton AntiVirus\bak\Cfgwiz.exe"
  "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
  "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
  "C:\WINDOWS\system\bak\hpsysdrv.DAT"
  "C:\WINDOWS\system\bak\hpsysdrv.exe"
  "C:\WINDOWS\system32\bak\hkcmd.exe"
  "C:\WINDOWS\system32\bak\ps2.exe"
  "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
  "C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
  "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
  "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
  "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 2, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[marveilleblanche]

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-02-23
The current time is: 1:08:44.23


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

2000-05-11 00:00 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\HP\KBD\BAK

2001-07-06 23:56 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\COLOREAL\BAK

2002-11-26 20:14 131,072 coloreal.exe
1 File(s) 131,072 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

2002-08-21 01:08 1,511,453 msmsgs.exe
1 File(s) 1,511,453 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

2002-11-15 10:08 476,792 Cfgwiz.exe
1 File(s) 476,792 bytes

Directory of C:\PROGRA~1\SUPERA~1\BAK

2007-06-21 13:06 1,318,912 SUPERAntiSpyware.exe
1 File(s) 1,318,912 bytes

Directory of C:\WINDOWS\SMINST\BAK

2002-09-14 00:42 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

2007-09-25 14:38 182 hpsysdrv.DAT
1998-05-07 19:04 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2002-10-16 09:05 114,688 hkcmd.exe
2002-07-31 22:28 81,920 ps2.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

2003-01-24 20:00 315,392 atiptaxx.exe
1 File(s) 315,392 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2002-11-15 05:29 54,976 ccApp.exe
2002-11-15 05:29 59,072 ccRegVfy.exe
2 File(s) 114,048 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

2007-09-05 14:24 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\VERITA~1\UPDATE~1\BAK

2002-06-18 10:01 155,648 sgtray.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2003-01-24 10:27 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\PROGRAM\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
61440 Jul 6 2001 "C:\hp\KBD\KBD.EXE"
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
131072 Nov 26 2002 "C:\Program Files\Coloreal\coloreal.exe"
131072 Nov 26 2002 "C:\Program Files\Coloreal\bak\coloreal.exe"
1511453 Aug 21 2002 "C:\Program Files\Messenger\msmsgs.exe"
1667584 Aug 4 2004 "C:\WINDOWS\$NtUninstallKB887472$\msmsgs.exe"
1511453 Aug 21 2002 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
476792 Nov 15 2002 "C:\Program Files\Norton AntiVirus\Cfgwiz.exe"
476792 Nov 15 2002 "C:\Program Files\Norton AntiVirus\bak\Cfgwiz.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
5914648 Dec 20 2007 "C:\Documents and Settings\Family of 5.AMBROZ5\Desktop\SUPERAntiSpyware.exe"
1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
182 Sep 25 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Sep 25 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
81920 Jul 31 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
315392 Jan 24 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
315392 Jan 24 2003 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
54976 Nov 15 2002 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
59072 Nov 15 2002 "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
59072 Nov 15 2002 "C:\Program Files\Common Files\Symantec Shared\bak\ccRegVfy.exe"
6731312 Sep 5 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
6731312 Sep 5 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
155648 Jun 18 2002 "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe"
155648 Jun 18 2002 "C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
151597 Jan 24 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Jan 24 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


end of report

[Essexboy]

Last bit for the AWF

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\bak
  C:\hp\KBD\bak
  C:\Program Files\Coloreal\bak
  C:\Program Files\Messenger\bak
  C:\Program Files\Norton AntiVirus\bak
  C:\Program Files\SUPERAntiSpyware\bak
  C:\WINDOWS\SMINST\bak
  C:\WINDOWS\system\bak
  C:\WINDOWS\system\bak
  C:\WINDOWS\system32\bak
  C:\WINDOWS\system32\bak
  C:\Program Files\ATI Technologies\ATI Control Panel\bak
  C:\Program Files\Common Files\Symantec Shared\bak
  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak
  C:\Program Files\VERITAS Software\Update Manager\bak
  C:\Program Files\Common Files\Real\Update_OB\bak
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

THEN

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 4, then press Enter.
• You will receive a warning to reset domain zones
• Press 1 then press Enter.
• If you have manually included sites in the trusted zones, these will need to be re-inserted.

FINALLY

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\system32\mwinsmdq.exe
C:\WINDOWS\system32\amwwukpa.dll

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

If I could have the Findawf and combofix logs please - plus how is your computer running now ?

[marveilleblanche]

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2008-02-23
The current time is: 6:26:28.82


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\CREATIVE\SBLIVE\PROGRAM\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report

[Essexboy]

Hi did you run the combofix as well . AWF is now clear

[marveilleblanche]

I did, but I accidentally closed out of the log report before I posted it.... so I can run that again if you want me to...