[kahdah]

You are welcome

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\System32\xwqwkyju.dll
C:\Documents and Settings\Doug Radcliffe\Application Data\eetu.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\System32\BDAZEK.exe
C:\WINDOWS\System32\cmd32.exe
C:\documents and settings\doug radcliffe\local settings\temp\dx4.exe
C:\WINDOWS\System32\gbnviebc.dll
C:\WINDOWS\System32\regscan.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
c:\windows\saap.exe
C:\WINDOWS\tilglej.exe
c:\windows\system32\xlktrjjk.exe
Folder::
C:\WINDOWS\SYSTEM32\nGpxx01
C:\Temp\cXzz9
C:\Program Files\BullsEye Network
C:\WINDOWS\isrvs
C:\Program Files\Dot1XCfg
C:\Program Files\Media Access
C:\Program Files\Viewpoint
C:\Program Files\SurfSideKick 2
C:\PROGRA~1\Toolbar
C:\PROGRA~1\COMMON~1\WinTools
Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\70b120b9]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aida]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ap9h4qmo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAZEK]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlPanel]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Desktop Search]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dx4.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InfoData]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Update]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RunDLL]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saap]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 2]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tcvhk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tilglej]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xlktrjjk]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt
===============================
Next:
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[Advertisements]

Here's the new Combofix log. I'm still waiting for the FindAWF to finish.

ComboFix 08-02.03.1 - Doug Radcliffe 2008-02-03 20:15:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.607 [GMT -5:00]
Running from: C:\Documents and Settings\Doug Radcliffe\Desktop\Hijack This\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug Radcliffe\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Doug Radcliffe\Application Data\eetu.exe
C:\documents and settings\doug radcliffe\local settings\temp\dx4.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
c:\windows\saap.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\System32\BDAZEK.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\gbnviebc.dll
C:\WINDOWS\System32\regscan.exe
c:\windows\system32\xlktrjjk.exe
C:\WINDOWS\System32\xwqwkyju.dll
C:\WINDOWS\tilglej.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\header.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\no.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\updates.html
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\yes.gif
C:\Program Files\Viewpoint\Viewpoint Manager\Read_Me.txt
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\IEUI.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1246465647.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1756920320.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-241378018.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1675746420.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1869876464.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1989748647.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\253621806.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\657252176.mtj&p2=0&p3=09087101198639273284478601494997&p4=50334729
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\947249231.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\992863017.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1439880944.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-298155108.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-507239884.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-707840405.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1738787899.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1761943089.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\549520814.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1381214539.mtj&p2=1&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-640486417.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-708330295.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-806736195.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1237490237.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\140717680.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1511195520.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1654430992.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\254978581.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\345086045.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\518054506.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\817164098.mts
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-51649169.mtz
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-546004.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-735698438.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1004341347.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1386684726.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1654431003.MTS
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Temp\cXzz9
C:\WINDOWS\SYSTEM32\nGpxx01

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 14:53 . 2008-02-03 14:53 <DIR> d-------- C:\Deckard
2008-02-03 14:40 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 04:15 . 2008-02-03 04:16 <DIR> d-------- C:\Program Files\Unlocker
2008-02-03 03:51 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-02-03 03:51 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-02-03 03:51 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-02-02 15:46 . 2008-02-03 20:15 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 16:06 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-02-02 08:10 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-02 06:42 --------- d-----w C:\Program Files\Soulseek
2008-01-27 04:57 --------- d-----w C:\Program Files\Winamp
2008-01-23 17:09 --------- d-----w C:\Documents and Settings\Doug Radcliffe\Application Data\uTorrent
2008-01-20 05:20 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-07 23:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 01:13 --------- d-----w C:\Program Files\Strategy First
2007-12-07 00:27 --------- d-----w C:\Program Files\Activision
2007-12-03 00:24 108,144 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2007-10-02 20:22 22,328 ----a-w C:\Documents and Settings\Doug Radcliffe\Application Data\PnkBstrK.sys
2006-01-17 20:21 58,936 ----a-w C:\Documents and Settings\Doug Radcliffe\Application Data\GDIPFONTCACHEV1.DAT
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\7.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\6.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\4.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\3.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\1.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-06-11 01:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 339,968 2004-06-11 01:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

----a-w 45,056 2005-08-12 18:43:58 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 151,597 2003-06-29 02:35:18 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2003-06-29 02:35:18 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 45,056 2002-09-30 06:00:00 C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE
----a-w 45,056 2002-09-30 06:00:00 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

----a-w 49,152 2002-10-29 14:18:24 C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe
----a-w 49,152 2002-10-29 14:18:24 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

----a-w 972,432 2006-11-07 22:22:24 C:\Program Files\IGN\Download Manager\bak\DLM.exe
----a-w 972,432 2006-11-07 22:22:24 C:\Program Files\IGN\Download Manager\DLM.exe

----a-w 86,016 2003-03-11 21:24:40 C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe
----a-w 86,016 2003-03-11 21:24:40 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

----a-w 278,528 2005-10-18 16:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-06-03 07:52:54 C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe
----a-w 36,975 2005-06-03 07:52:54 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

----a-w 53,248 2003-07-30 05:02:16 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
----a-w 53,248 2003-07-30 05:02:16 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

----a-w 143,360 2003-03-28 21:20:38 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
----a-w 143,360 2003-03-28 21:20:38 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

----a-w 155,648 2005-11-02 04:38:39 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 155,648 2005-11-02 04:38:39 C:\Program Files\QuickTime\qttask.exe

----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

----a-w 13,312 2002-08-29 10:00:00 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 13,312 2002-08-29 10:00:00 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\bak\DSentry.exe
----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\DSentry.exe

----a-w 63,696 2005-09-28 20:35:48 C:\WINDOWS\SYSTEM32\bak\dxdllreg.exe
----a-w 63,696 2005-09-28 20:35:48 C:\WINDOWS\SYSTEM32\dxdllreg.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\SYSTEM32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 21:02 68856]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:10 339968]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2002-08-29 05:00 9728 C:\WINDOWS\SYSTEM32\REGSVR32.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-03-28 16:20 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-06-28 21:35 151597]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 07:21 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 02:52 36975]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-30 00:02 53248]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-01 23:38 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 20:22 26248]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-01-31 13:59 1102848]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-05-31 02:49:02 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2006-11-07 17:22 972432 C:\Program Files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
C:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

R2 PStrip;PSTRIP;C:\WINDOWS\System32\DRIVERS\PSTRIP.SYS [2004-11-09 16:32]
S3 gkmixern;gkmixern;C:\DOCUME~1\DOUGRA~1\LOCALS~1\Temp\gkmixern.sys []
S3 sks;sks;C:\DOCUME~1\DOUGRA~1\LOCALS~1\Temp\sks.sys []
S3 Smport;Smport;C:\Documents and Settings\Doug Radcliffe\Desktop\Newsbin\DOWNLOAD\ROMS\Intellivision\Intellivision Emu\Smport.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 04:24:14 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Doug Radcliffe.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 20:17:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 20:30:44
ComboFix-quarantined-files.txt 2008-02-04 01:30:42
ComboFix2.txt 2008-02-03 21:13:04

[MBison]

Here's the new Combofix log. I'm still waiting for the FindAWF to finish.

ComboFix 08-02.03.1 - Doug Radcliffe 2008-02-03 20:15:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.607 [GMT -5:00]
Running from: C:\Documents and Settings\Doug Radcliffe\Desktop\Hijack This\ComboFix.exe
Command switches used :: C:\Documents and Settings\Doug Radcliffe\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Doug Radcliffe\Application Data\eetu.exe
C:\documents and settings\doug radcliffe\local settings\temp\dx4.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\mrofinu572.exe.tmp
c:\windows\saap.exe
C:\WINDOWS\System32\ap9h4qmo.exe
C:\WINDOWS\System32\BDAZEK.exe
C:\WINDOWS\System32\bridge.dll
C:\WINDOWS\System32\cmd32.exe
C:\WINDOWS\System32\gbnviebc.dll
C:\WINDOWS\System32\regscan.exe
c:\windows\system32\xlktrjjk.exe
C:\WINDOWS\System32\xwqwkyju.dll
C:\WINDOWS\tilglej.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Viewpoint
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\header.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\no.gif
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\options.ini
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\updates.html
C:\Program Files\Viewpoint\Viewpoint Manager\NotifyData\yes.gif
C:\Program Files\Viewpoint\Viewpoint Manager\Read_Me.txt
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ClassIDs.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentMgr_0305000D.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\ComponentRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\AOLUserShell.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Cursors.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\IEUI.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\JpegReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\Mts3Reader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SreeDMMX.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\SWFView.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMgr.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPSpeech.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\VMPVideo2.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Components\WaveletReader.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\DownLoadHist.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\HostRegistry.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamConfig.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MetaStreamID.ini
C:\Program Files\Viewpoint\Viewpoint Media Player\MtsAxInstaller.exe
C:\Program Files\Viewpoint\Viewpoint Media Player\MTSDownloadSites.txt
C:\Program Files\Viewpoint\Viewpoint Media Player\NewComponents\SceneComponent.dll
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1246465647.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-1756920320.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\-241378018.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1675746420.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1869876464.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\1989748647.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\253621806.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\657252176.mtj&p2=0&p3=09087101198639273284478601494997&p4=50334729
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\947249231.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_00\992863017.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-1439880944.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-298155108.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-507239884.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\-707840405.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1738787899.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\1761943089.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_01\549520814.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-1381214539.mtj&p2=1&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-640486417.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-708330295.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\-806736195.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1237490237.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\140717680.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1511195520.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\1654430992.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\254978581.SWF
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\345086045.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\518054506.mtx
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_02\817164098.mts
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-51649169.mtz
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-546004.swf
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\-735698438.mtj&p2=0&p3=09087101198639273284478601494997&p4=0
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1004341347.jpg
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1386684726.MTZ
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\ResourceFolder_03\1654431003.MTS
C:\Program Files\Viewpoint\Viewpoint Media Player\Resources\UpdateVersionList_v2.mtx
C:\Temp\cXzz9
C:\WINDOWS\SYSTEM32\nGpxx01

.
((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 14:53 . 2008-02-03 14:53 <DIR> d-------- C:\Deckard
2008-02-03 14:40 . 2008-02-03 14:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-03 04:15 . 2008-02-03 04:16 <DIR> d-------- C:\Program Files\Unlocker
2008-02-03 03:51 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-02-03 03:51 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-02-03 03:51 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-02-02 15:46 . 2008-02-03 20:15 <DIR> d-------- C:\Temp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-03 16:06 10,022 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2008-02-02 08:10 --------- d-----w C:\Program Files\Full Tilt Poker
2008-02-02 06:42 --------- d-----w C:\Program Files\Soulseek
2008-01-27 04:57 --------- d-----w C:\Program Files\Winamp
2008-01-23 17:09 --------- d-----w C:\Documents and Settings\Doug Radcliffe\Application Data\uTorrent
2008-01-20 05:20 --------- d-----w C:\Program Files\Norton AntiVirus
2007-12-07 23:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 01:13 --------- d-----w C:\Program Files\Strategy First
2007-12-07 00:27 --------- d-----w C:\Program Files\Activision
2007-12-03 00:24 108,144 ----a-w C:\WINDOWS\SYSTEM32\CmdLineExt.dll
2007-10-02 20:22 22,328 ----a-w C:\Documents and Settings\Doug Radcliffe\Application Data\PnkBstrK.sys
2006-01-17 20:21 58,936 ----a-w C:\Documents and Settings\Doug Radcliffe\Application Data\GDIPFONTCACHEV1.DAT
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\7.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\6.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\4.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\3.dat
2005-04-09 23:03 0 ----a-w C:\Documents and Settings\Doug Radcliffe\1.dat
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 339,968 2004-06-11 01:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 339,968 2004-06-11 01:10:00 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

----a-w 45,056 2005-08-12 18:43:58 C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe

----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
----a-w 28,672 2002-07-16 12:21:48 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

----a-w 151,597 2003-06-29 02:35:18 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 151,597 2003-06-29 02:35:18 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 45,056 2002-09-30 06:00:00 C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE
----a-w 45,056 2002-09-30 06:00:00 C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

----a-w 49,152 2002-10-29 14:18:24 C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe
----a-w 49,152 2002-10-29 14:18:24 C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

----a-w 972,432 2006-11-07 22:22:24 C:\Program Files\IGN\Download Manager\bak\DLM.exe
----a-w 972,432 2006-11-07 22:22:24 C:\Program Files\IGN\Download Manager\DLM.exe

----a-w 86,016 2003-03-11 21:24:40 C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe
----a-w 86,016 2003-03-11 21:24:40 C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe

----a-w 278,528 2005-10-18 16:58:54 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-06-03 07:52:54 C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe
----a-w 36,975 2005-06-03 07:52:54 C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe

----a-w 53,248 2003-07-30 05:02:16 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe
----a-w 53,248 2003-07-30 05:02:16 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

----a-w 143,360 2003-03-28 21:20:38 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
----a-w 143,360 2003-03-28 21:20:38 C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

----a-w 155,648 2005-11-02 04:38:39 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 155,648 2005-11-02 04:38:39 C:\Program Files\QuickTime\qttask.exe

----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe
----a-w 684,032 2002-12-17 17:28:00 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

----a-w 13,312 2002-08-29 10:00:00 C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w 13,312 2002-08-29 10:00:00 C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\bak\DSentry.exe
----a-r 28,672 2002-08-14 23:22:52 C:\WINDOWS\SYSTEM32\DSentry.exe

----a-w 63,696 2005-09-28 20:35:48 C:\WINDOWS\SYSTEM32\bak\dxdllreg.exe
----a-w 63,696 2005-09-28 20:35:48 C:\WINDOWS\SYSTEM32\dxdllreg.exe

----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
----a-w 155,648 2001-07-09 15:50:42 C:\WINDOWS\SYSTEM32\NeroCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 21:02 68856]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 16:24 86016]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-06-10 20:10 339968]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 18:22 28672]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 09:18 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2003-02-20 16:45 28672 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="REGSVR32.exe" [2002-08-29 05:00 9728 C:\WINDOWS\SYSTEM32\REGSVR32.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2003-03-28 16:20 143360]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2003-06-28 21:35 151597]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 12:28 684032]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 07:21 28672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 02:52 36975]
"mmtask"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe" [2003-07-30 00:02 53248]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-11-01 23:38 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 20:22 26248]
"THGuard"="C:\Program Files\TrojanHunter 4.6\THGuard.exe" [2007-01-31 13:59 1102848]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 17:30 517768]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35 90112]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-05-31 02:49:02 113664]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56 65588]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
--a------ 2006-11-07 17:22 972432 C:\Program Files\IGN\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\WINDOWS\kdx\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security iGuard]
C:\Program Files\Security iGuard\Security iGuard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
C:\PROGRA~1\Toolbar\TBPS.exe

R2 PStrip;PSTRIP;C:\WINDOWS\System32\DRIVERS\PSTRIP.SYS [2004-11-09 16:32]
S3 gkmixern;gkmixern;C:\DOCUME~1\DOUGRA~1\LOCALS~1\Temp\gkmixern.sys []
S3 sks;sks;C:\DOCUME~1\DOUGRA~1\LOCALS~1\Temp\sks.sys []
S3 Smport;Smport;C:\Documents and Settings\Doug Radcliffe\Desktop\Newsbin\DOWNLOAD\ROMS\Intellivision\Intellivision Emu\Smport.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-02-02 04:24:14 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Doug Radcliffe.job"
- C:\PROGRA~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 20:17:58
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-03 20:30:44
ComboFix-quarantined-files.txt 2008-02-04 01:30:42
ComboFix2.txt 2008-02-03 21:13:04

[MBison]

Here's the FindAWF.txt. Note that it found a lot of bak directories cause I had AWF before. I never deleted the bak directories, probably should have. It looks like it's clean from just skimming this but you're the expert

Let me know what the next step is. It seems to be running better but just let me know. Thanks SO MUCH again.


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 02/03/2008
The current time is: 22:36:26.68


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/01/2005 11:38 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 05:00 AM 13,312 ctfmon.exe
08/14/2002 06:22 PM 28,672 DSentry.exe
09/28/2005 03:35 PM 63,696 dxdllreg.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
4 File(s) 261,328 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

08/12/2005 01:43 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/10/2004 08:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\IGN\DOWNLO~1\BAK

11/07/2006 05:22 PM 972,432 DLM.exe
1 File(s) 972,432 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

03/28/2003 04:20 PM 143,360 mm_tray.exe
07/30/2003 12:02 AM 53,248 mmtask.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/28/2003 09:35 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

09/30/2002 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

10/29/2002 09:18 AM 49,152 CTSysVol.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\NCS\PROSET\BAK

03/11/2003 04:24 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/03/2005 02:52 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


12/17/2002 12:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Nov 1 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Nov 1 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
63696 Sep 28 2005 "C:\WINDOWS\SYSTEM32\dxdllreg.exe"
46592 Dec 12 2002 "C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe"
63696 Sep 28 2005 "C:\WINDOWS\SYSTEM32\bak\dxdllreg.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
45056 Aug 12 2005 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
49152 Jul 17 2007 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.exe"
339968 Jun 10 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Jun 10 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
972432 Nov 7 2006 "C:\Program Files\IGN\Download Manager\DLM.exe"
972432 Nov 7 2006 "C:\Program Files\IGN\Download Manager\bak\DLM.exe"
53248 Jul 30 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jul 30 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 May 24 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
131072 May 24 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
151597 Jun 28 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Jun 28 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
86016 Mar 11 2003 "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
86016 Mar 11 2003 "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


end of report

Edited by MBison, 03 February 2008 - 09:53 PM.

[kahdah]

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  "C:\Program Files\iTunes\bak\iTunesHelper.exe"
  "C:\Program Files\QuickTime\bak\qttask.exe"
  "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
  "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
  "C:\WINDOWS\SYSTEM32\bak\dxdllreg.exe"
  "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
  "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
  "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
  "C:\Program Files\IGN\Download Manager\bak\DLM.exe"
  "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
  "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
  "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
  "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
  "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
  "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
  "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe"
  "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
  "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"
  
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 2, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[MBison]

Here ya go, I ran FindAWF and pasted in the contents you provided and used option 2. It gave me a report that looks similar. I checked all of the files in the list and they are the original versions.

Let me know if there's anything else I need to do. My system is running much better, thanks so much again!

[kahdah]

Where is that log ?

[MBison]

oops! Sorry, here it is.


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/04/2008
The current time is: 22:39:54.56


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/18/2005 11:58 AM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

11/01/2005 11:38 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 05:00 AM 13,312 ctfmon.exe
08/14/2002 06:22 PM 28,672 DSentry.exe
09/28/2005 03:35 PM 63,696 dxdllreg.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
4 File(s) 261,328 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\BAK

08/12/2005 01:43 PM 45,056 cli.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

06/10/2004 08:10 PM 339,968 atiptaxx.exe
1 File(s) 339,968 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\IGN\DOWNLO~1\BAK

11/07/2006 05:22 PM 972,432 DLM.exe
1 File(s) 972,432 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

03/28/2003 04:20 PM 143,360 mm_tray.exe
07/30/2003 12:02 AM 53,248 mmtask.exe
2 File(s) 196,608 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

07/16/2002 07:21 AM 28,672 WkUFind.exe
1 File(s) 28,672 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

06/28/2003 09:35 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

09/30/2002 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

10/29/2002 09:18 AM 49,152 CTSysVol.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\INTEL\NCS\PROSET\BAK

03/11/2003 04:24 PM 86,016 PRONoMgr.exe
1 File(s) 86,016 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

06/03/2005 02:52 AM 36,975 jusched.exe
1 File(s) 36,975 bytes


12/17/2002 12:28 PM 684,032 DirectCD.exe
1 File(s) 684,032 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

278528 Oct 18 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 18 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
155648 Nov 1 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Nov 1 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\DSentry.exe"
28672 Aug 14 2002 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe"
63696 Sep 28 2005 "C:\WINDOWS\SYSTEM32\dxdllreg.exe"
46592 Dec 12 2002 "C:\WINDOWS\RegisteredPackages\{44BBA855-CC51-11CF-AAFA-00AA00B6015C}\dxdllreg.exe"
63696 Sep 28 2005 "C:\WINDOWS\SYSTEM32\bak\dxdllreg.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\NeroCheck.exe"
155648 Jul 9 2001 "C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe"
45056 Aug 12 2005 "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe"
45056 Aug 12 2005 "C:\Program Files\ATI Technologies\ATI.ACE\bak\cli.exe"
49152 Jul 17 2007 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.exe"
339968 Jun 10 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
339968 Jun 10 2004 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
972432 Nov 7 2006 "C:\Program Files\IGN\Download Manager\DLM.exe"
972432 Nov 7 2006 "C:\Program Files\IGN\Download Manager\bak\DLM.exe"
53248 Jul 30 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe"
53248 Jul 30 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mmtask.exe"
53248 May 24 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mmtask.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
143360 Mar 28 2003 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
131072 May 24 2004 "C:\Program Files\MUSICMATCH\MUSICMATCH Update\MMJB\mm_tray.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
28672 Jul 16 2002 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
151597 Jun 28 2003 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
151597 Jun 28 2003 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
86016 Mar 11 2003 "C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe"
86016 Mar 11 2003 "C:\Program Files\Intel\NCS\PROSet\bak\PRONoMgr.exe"
32881 Feb 22 2004 "C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\bak\jusched.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
684032 Dec 17 2002 "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe"


end of report

[MBison]

Quick question also. At this point, after all of these fixes and removal of nasty malware, I notice there's a new process in my task manager: "ALG.exe" Reading up on it, it seems to be part of XP, basically part of XP's firewall stuff. I just wanted to make sure this is okay as I hadn't noticed it before (I watch my Processes compulsively to make sure nothing weird has appeared there).

Thanks again!

[kahdah]

ALg is necessary nothing to worry about.
==============================

• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Program Files\iTunes\bak
  C:\Program Files\QuickTime\bak
  C:\WINDOWS\SYSTEM32\bak
  C:\Program Files\ATI Technologies\ATI.ACE\bak
  C:\Program Files\ATI Technologies\ATI Control Panel\bak
  C:\Program Files\IGN\Download Manager\bak
  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
  C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak
  C:\Program Files\Common Files\Real\Update_OB\bak
  C:\Program Files\Creative\SBAudigy2\DVDAudio\bak
  C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak
  C:\Program Files\Intel\NCS\PROSet\bak
  C:\Program Files\Java\jre1.5.0_04\bin\bak
  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\bak
  C:\WINDOWS\BAK
  
  
  
• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 3, then press Enter.
• Press any key to continue.
• A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
• Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
• The program will proceed to remove the bad folders and will perform another scan for .bak folder
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.