Another b.whataboutadog.com virus

Computing.Net > Forums > Security and Virus > Another b.whataboutadog.com virus

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Another b.whataboutadog.com virus

Name: Jerrold
Date: October 15, 2007 at 07:35:31 Pacific
OS: winxp,sp2
CPU/Ram: 2.4gh / 448
Product: compaq presario sr2013wm

Comment:

I also have the b.whataboutadog virus. I and symantics have been trying to remove it for a week now. Do you guys have any suggestions?

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 15, 2007 at 09:13:58 Pacific

Reply:

Please download FindAWL from this link FindAWF
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 2

Name: Jerrold
Date: October 15, 2007 at 15:23:33 Pacific

Reply:

Heres the AWF report and ty for the help again
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Mon 10/15/2007
The current time is: 16:52:14.57

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
09/29/2005 11:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
07/23/2005 12:14 AM 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/16/2006 12:34 AM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
10/11/2006 12:45 PM 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/28/2006 01:16 PM 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
09/20/2006 08:35 AM 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28176 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
28176 Oct 2 2007 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
28176 Oct 2 2007 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
28176 Oct 2 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
28176 Oct 2 2007 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
28176 Oct 2 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
28176 Oct 2 2007 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28176 Oct 2 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
28176 Oct 2 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Response Number 3

Name: jabuck
Date: October 15, 2007 at 15:57:18 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
We still have work to do after this phase of the virus removal.

Response Number 4

Name: Jerrold
Date: October 15, 2007 at 16:12:16 Pacific

Reply:

hijinks file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:42 PM, on 10/15/2007
Platform: Windows XP SP2 (WinNT
5.01.2600)
MSIE: Internet Explorer v7.00
(7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F22
7FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common
Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common
Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile
Device
Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSv
c.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common
Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec
Shared\Security Console\NSCSRVCE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec
Shared\ccApp.exe
C:\Program Files\Yahoo!\Search
Protection\SearchProtection.exe
C:\WINDOWS\RTHDCPL.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common
Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ARPWRMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\COMMON~1\AOL\119189~1\EE\
AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\119189~1\EE\
AOLServiceHost.exe
C:\Program Files\Yahoo!\Search
Protection\bak\SearchProtection.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet
Explorer\IEXPLORE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend
Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet
Explorer\Main,Start Page =
http://ie.redirect.hp.com/svs/rdr?T...
iehome&locale=EN_US&c=64&bd=PRESARIO
&pf=desktop
R0 - HKCU\Software\Microsoft\Internet
Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) -
{02478D38-C3F9-4efb-9B51-7695ECA05670} -
(no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat
7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
- C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper -
{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
- c:\Program Files\Norton Internet
Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: hpWebHelper Class -
{AAAE832A-5FFF-4661-9C8F-369692D1DCB9}
-
C:\WINDOWS\pchealth\helpctr\Vendors\CN=H
ewlett-Packard,L=Cupertino,S=Ca,C=US\plug
in\WebHelper.dll
O3 - Toolbar: Norton AntiVirus -
{C4069E3A-68F1-403E-B40E-20066696354B} -
c:\Program Files\Norton Internet
Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program
Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng]
"C:\Program Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F22
7FCA9A08}\PIFSvc.exe" /a /m "C:\Program
Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F22
7FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YSearchProtection]
"C:\Program Files\Yahoo!\Search
Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [WrtMon.exe]
C:\WINDOWS\system32\spool\drivers\w32x86\
3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]
"C:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate]
"C:\Program Files\Common Files\Scansoft
Shared\SSBkgdUpdate\SSBkgdupdate.exe"
-Embedding -boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [Recguard]
C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [QuickTime Task]
"C:\Program
Files\QuickTime\bak\QTTask.exe"
-atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program
Files\ScanSoft\OmniPageSE4.0\OpwareSE4.e
xe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon]
RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program
Files\Hewlett-Packard\HP Boot
Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update]
C:\Program Files\Hp\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program
Files\Common
Files\AOL\1191896914\EE\AOLHostManager.e
xe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe
ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray]
C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program
Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlwaysReady Power
Message APP] ARPWRMSG.exe
O4 -
HKUS\S-1-5-21-917604045-547949620-33088
79918-1008\..\Run: [YSearchProtection]
C:\Program Files\Yahoo!\Search
Protection\SearchProtection.exe (User
'DEBORAH')
O4 -
HKUS\S-1-5-21-917604045-547949620-33088
79918-1008\..\Run: [AOL Fast Start]
"C:\Program Files\America Online
9.0\AOL.exe" -b (User 'DEBORAH')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM]
C:\Program Files\MySpace\IM\MySpaceIM.exe
(User 'Default user')
O4 -
S-1-5-21-917604045-547949620-3308879918-
1008 Startup: PinMcLnk.lnk =
C:\hp\bin\cloaker.exe (User 'DEBORAH')
O4 -
S-1-5-21-917604045-547949620-3308879918-
1008 User Startup: PinMcLnk.lnk =
C:\hp\bin\cloaker.exe (User 'DEBORAH')
O4 - .DEFAULT User Startup: Pin.lnk =
C:\hp\bin\CLOAKER.exe (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk =
C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed
Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq
Connections.lnk = C:\Program Files\Compaq
Connections\5577497\Program\Compaq
Connections.exe
O4 - Global Startup: Kodak EasyShare
software.lnk = C:\Program
Files\Kodak\Kodak EasyShare
software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar
Search - c:\program files\aol\aol toolbar
5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to
Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXC
EL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java
Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
- C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263}
-
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBA
R.DLL
O9 - Extra button: Internet Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789}
-
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\C
N=Hewlett-Packard,L=Cupertino,S=Ca,C=US\
IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet
Connection Help -
{E2D4D26B-0180-43a4-B05F-462D6D54C789}
-
C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\C
N=Hewlett-Packard,L=Cupertino,S=Ca,C=US\
IEButton\support.htm
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem:
@xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows
Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF:
{49232000-16E4-426C-A231-62846947304B}
(SysData Class) -
http://ipgweb.cce.hp.com/rdqcpqdktp...
ads/sysinfo.cab
O16 - DPF:
{DBA230D1-8467-4e69-987E-5FAE815A3B45}
-
O23 - Service: AOL Connectivity Service
(AOL ACS) - America Online - C:\Program
Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL
TopSpeedMonitor) - America Online, Inc -
C:\Program Files\Common
Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple,
Inc. - C:\Program Files\Common
Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate
Scheduler - Symantec Corporation -
C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSv
c.exe
O23 - Service: Symantec Event Manager
(ccEvtMgr) - Symantec Corporation -
c:\Program Files\Common Files\Symantec
Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security
Password Validation (ccISPwdSvc) -
Symantec Corporation - c:\Program
Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy
(ccProxy) - Symantec Corporation -
c:\Program Files\Common Files\Symantec
Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager
(ccSetMgr) - Symantec Corporation -
c:\Program Files\Common Files\Symantec
Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) -
Symantec Corporation - c:\Program
Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager
(IDriverT) - Macrovision Corporation -
C:\Program Files\Common
Files\InstallShield\Driver\1050\Intel
32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct
Disc Labeling Service (LightScribeService) -
Hewlett-Packard Company - C:\Program
Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec
Corporation -
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~
1.EXE
O23 - Service: LiveUpdate Notice Service -
Symantec Corporation - C:\Program
Files\Common Files\Symantec
Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F22
7FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect
Service (navapsvc) - Symantec Corporation -
c:\Program Files\Norton Internet
Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center
Service (NSCService) - Symantec
Corporation - c:\Program Files\Common
Files\Symantec Shared\Security
Console\NSCSRVCE.exe
O23 - Service: NVIDIA Display Driver Service
(NVSvc) - NVIDIA Corporation -
C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan)
- Symantec Corporation - c:\Program
Files\Norton Internet Security\Norton
AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers
Service (SNDSrvc) - Symantec Corporation -
c:\Program Files\Common Files\Symantec
Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc
(SPBBCSvc) - Symantec Corporation -
c:\Program Files\Common Files\Symantec
Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown
owner - C:\Program Files\Common
Files\Symantec
Shared\CCPD-LC\symlcsvc.exe
--
End of file - 11051 bytes
awf file
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 10/15/2007
The current time is: 18:08:25.75

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
09/29/2005 11:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
07/23/2005 12:14 AM 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/16/2006 12:34 AM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
10/11/2006 12:45 PM 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/28/2006 01:16 PM 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
09/20/2006 08:35 AM 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28176 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Response Number 5

Name: jabuck
Date: October 15, 2007 at 19:08:51 Pacific

Reply:

Option 3:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Next Option 4.

Option 4:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Next, go to start> run> type in notepad> click format> uncheck 'word wrap". Exit Notepad.
Post a new Hijack This log please.

cloaker.exe apr cache usb microphone mixer	c.exe protection center virus zonemap
See More

Response Number 6

Name: Jerrold
Date: October 16, 2007 at 04:33:28 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Tue 10/16/2007
The current time is: 6:24:06.18

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
09/29/2005 11:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
07/23/2005 12:14 AM 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/16/2006 12:34 AM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
10/11/2006 12:45 PM 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/28/2006 01:16 PM 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
09/20/2006 08:35 AM 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28176 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:21 AM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\RTHDCPL.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\ARPWRMSG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\COMMON~1\AOL\119189~1\EE\AOLHOS~1.exe
C:\PROGRA~1\COMMON~1\AOL\119189~1\EE\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: hpWebHelper Class - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1191896914\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.exe
O4 - HKUS\S-1-5-21-917604045-547949620-3308879918-1008\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (User 'DEBORAH')
O4 - HKUS\S-1-5-21-917604045-547949620-3308879918-1008\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.exe" -b (User 'DEBORAH')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - S-1-5-21-917604045-547949620-3308879918-1008 Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'DEBORAH')
O4 - S-1-5-21-917604045-547949620-3308879918-1008 User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'DEBORAH')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.exe (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-us\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp...
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10815 bytes

Response Number 7

Name: jabuck
Date: October 16, 2007 at 05:57:43 Pacific

Reply:

Looks good.
Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options.
One update go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Run Hijack This, close all windows except Hijack This, place a check to the left of the following items and press "fix checked":
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Response Number 8

Name: Jerrold
Date: October 16, 2007 at 18:16:36 Pacific

Reply:

ComboFix 07-10-16.1 - Compaq_Administrator 2007-10-16 19:59:06.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.283 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\DEBORAH\Application Data\FunWebProducts
C:\Documents and Settings\DEBORAH\Application Data\FunWebProducts\Data\DEBORAH\avatar.dat
C:\Documents and Settings\DEBORAH\Application Data\FunWebProducts\Data\DEBORAH\register.dat
C:\Documents and Settings\DEBORAH\Application Data\FunWebProducts\Data\DEBORAH\zbucks.dat
C:\Documents and Settings\DEBORAH\Application Data\macromedia\Flash Player\#SharedObjects\VHKZXG3E\www.broadcaster.com
C:\Documents and Settings\DEBORAH\Application Data\macromedia\Flash Player\#SharedObjects\VHKZXG3E\www.broadcaster.com\played_list.sol
C:\Documents and Settings\DEBORAH\Application Data\macromedia\Flash Player\#SharedObjects\VHKZXG3E\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\DEBORAH\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\DEBORAH\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\_000006_.tmp.dll
C:\WINDOWS\system32\_000007_.tmp.dll
C:\WINDOWS\system32\_000010_.tmp.dll
C:\WINDOWS\system32\_000011_.tmp.dll
C:\WINDOWS\system32\_000012_.tmp.dll
D:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.
2007-10-16 19:37 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 18:02 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-15 04:57 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-10-15 04:33 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-14 17:39 <DIR> d-------- C:\My Music
2007-10-14 11:44 <DIR> d----c--- C:\Documents and Settings\Compaq_Administrator\jrc
2007-10-13 20:42 <DIR> d-------- C:\WINDOWS\pss
2007-10-13 20:36 4,284 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-12 09:34 <DIR> d-------- C:\Documents and Settings\Jannas Place to Surf\Application Data\MySpace
2007-10-11 21:23 <DIR> d-------- C:\Program Files\MySpace
2007-10-11 21:23 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\MySpace
2007-10-10 15:31 <DIR> d-------- C:\Documents and Settings\DEBORAH\Application Data\Template
2007-10-08 21:29 <DIR> d-------- C:\Program Files\Common Files\AolCoach
2007-10-08 21:29 173,184 --a------ C:\WINDOWS\system32\ygpss.scr
2007-10-08 21:28 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-10-08 21:28 <DIR> d-------- C:\Program Files\America Online 9.0
2007-10-08 15:59 230 --a------ C:\vrqtoolSREnable.reg
2007-10-08 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2007-10-05 18:27 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-05 18:25 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-01 11:57 <DIR> d-------- C:\Documents and Settings\Jannas Place to Surf\Application Data\HP
2007-09-29 20:51 <DIR> d-------- C:\Documents and Settings\Compaq_Administrator\Application Data\NewSoft
2007-09-19 18:17 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Yahoo!
2007-09-19 12:23 <DIR> d-------- C:\Documents and Settings\Jannas Place to Surf\Application Data\WildTangent
2007-09-18 21:16 <DIR> d-------- C:\Program Files\iTunes
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-17 00:20 --------- d-----w C:\Program Files\Java
2007-10-16 11:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-15 23:08 --------- d-----w C:\Program Files\QuickTime
2007-10-15 22:06 --------- d-----w C:\Documents and Settings\DEBORAH\Application Data\LimeWire
2007-10-15 11:04 --------- d-----w C:\Program Files\Yahoo!
2007-10-15 11:03 --------- d--h--r C:\Documents and Settings\Compaq_Administrator\Application Data\yahoo!
2007-10-15 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-14 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Zylom
2007-10-13 03:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
2007-10-10 03:08 --------- d-----w C:\Documents and Settings\DEBORAH\Application Data\AOL
2007-10-09 02:30 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-09 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-08 11:18 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-08 11:18 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-08 11:18 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-08 11:18 --------- d-----w C:\Program Files\Symantec
2007-10-05 19:20 --------- d-----w C:\Program Files\Norton Internet Security
2007-10-03 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-09-27 23:41 --------- d-----w C:\Program Files\DISC
2007-09-26 23:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\WildTangent
2007-09-23 15:48 102,664 ----a-w C:\WINDOWS\system32\drivers\tmcomm.sys
2007-09-19 02:16 --------- d-----w C:\Program Files\iPod
2007-09-19 02:10 --------- d-----w C:\Program Files\Apple Software Update
2007-09-10 04:10 --------- d-----w C:\Documents and Settings\Jannas Place to Surf\Application Data\Viewpoint
2007-09-10 04:10 --------- d-----w C:\Documents and Settings\Jannas Place to Surf\Application Data\AOL
2007-09-08 23:35 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-05 15:53 --------- d-----w C:\Program Files\MSN Games
2007-09-04 13:33 --------- d-----w C:\Documents and Settings\Jannas Place to Surf\Application Data\Yahoo!
2007-09-03 00:13 --------- d-----w C:\Program Files\Oberon Media
2007-08-28 01:22 --------- d-----w C:\Documents and Settings\DEBORAH\Application Data\Yahoo!
2007-08-27 22:13 97,672 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-08-27 22:13 31,624 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-08-27 22:13 28,040 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-08-27 22:13 23,944 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-08-27 22:13 189,320 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-08-27 22:13 12,680 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-08-27 00:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\FunGames
2007-01-29 23:50 0 -c--a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2007-01-22 20:57 0 -c--a-w C:\Documents and Settings\DEBORAH\Application Data\wklnhst.dat
2006-02-19 17:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 185,896 2006-09-28 18:16:20 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
----a-w 185,896 2006-09-28 18:16:20 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe
----a-w 249,856 2006-02-16 05:34:58 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 249,856 2006-02-16 05:34:58 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
----a-w 267,064 2007-09-14 15:00:06 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 28,176 2007-10-03 00:33:58 C:\Program Files\iTunes\iTunesHelper.exe
----a-w 132,496 2007-07-12 09:00:36 C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe
----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\bak\QTTask.exe
----a-w 286,720 2007-06-29 11:24:52 C:\Program Files\QuickTime\QTTask.exe
----a-w 75,304 2006-10-11 17:45:12 C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe
----a-w 75,304 2006-10-11 17:45:12 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe
----a-w 224,248 2007-06-08 14:59:38 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
----a-w 67,584 2005-09-30 04:01:14 C:\WINDOWS\ehome\bak\ehtray.exe
----a-w 64,512 2005-08-06 03:56:34 C:\WINDOWS\ehome\ehtray.exe
----a-w 237,568 2005-07-23 05:14:00 C:\WINDOWS\SMINST\bak\RECGUARD.exe
----a-w 237,568 2005-07-23 05:14:00 C:\WINDOWS\SMINST\RECGUARD.exe
----a-w 20,480 2006-09-20 13:35:26 C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe
----a-w 20,480 2006-09-20 13:35:26 C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 23:19]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"WrtMon.exe"="C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 08:35]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 13:16]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 22:05 C:\WINDOWS\RTHDCPL.EXE]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [2005-07-23 00:14]
"QuickTime Task"="C:\Program Files\QuickTime\bak\QTTask.exe" [2007-06-29 06:24]
"PCDrProfiler"="" []
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 12:45]
"nwiz"="nwiz.exe" [2006-05-09 17:50 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-05-09 17:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-10-02 19:33]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 00:34]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]
"HostManager"="C:\Program Files\Common Files\AOL\1191896914\EE\AOLHostManager.exe" [2004-11-03 16:03]
"ftutil2"="ftutil2.dll" [2004-06-07 16:05 C:\WINDOWS\system32\ftutil2.dll]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 22:56]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 08:40]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-03 01:19 C:\WINDOWS\arpwrmsg.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\Documents and Settings\DEBORAH\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-09-11 19:49:49]
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-09-11 19:49:49]
C:\Documents and Settings\Jannas Place to Surf\Start Menu\Programs\Startup\
PinMcLnk.lnk - C:\hp\bin\cloaker.exe [2006-09-11 19:49:49]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-09-11 20:38:53]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-02 05:29:26]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys
*Newly Created Service* - COMHOST
*Newly Created Service* - MDMXSDK
.
Contents of the 'Scheduled Tasks' folder
"2007-10-09 19:19:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-10-12 09:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Compaq_Administrator.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe
"2007-10-07 12:53:41 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - DEBORAH.job"
- c:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe
"2007-10-16 11:01:51 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - Compaq_Administrator.job"
"2007-10-07 12:52:57 C:\WINDOWS\Tasks\Norton AntiVirus - Run Norton QuickScan - DEBORAH.job"
"2007-10-16 04:34:21 C:\WINDOWS\Tasks\User_Feed_Synchronization-{A6069590-57C1-4AF5-A407-04B4B5CDD818}.job"
"2007-01-22 18:05:05 C:\WINDOWS\Tasks\Warranty Reminder 11 month.job"
- c:\windows\system32\pcintro\reminder\Warranty_Reminder_11_month\Warranty_Reminder_11_month.bat
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 20:02:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-16 20:03:24
.
--- E O F ---

Response Number 9

Name: jabuck
Date: October 16, 2007 at 18:32:37 Pacific

Reply:

Go to start> control panel>add/remove programs and uninstall all older versions of java. Theonly version you should have is jre1.6.0_03.
Do another AWF scan please.
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 10

Name: Jerrold
Date: October 16, 2007 at 20:23:07 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Tue 10/16/2007
The current time is: 22:19:45.04

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
09/14/2007 10:00 AM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
09/29/2005 11:01 PM 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
07/23/2005 12:14 AM 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/16/2006 12:34 AM 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
10/11/2006 12:45 PM 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
06/08/2007 09:59 AM 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/28/2006 01:16 PM 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
09/20/2006 08:35 AM 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
28176 Oct 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Response Number 11

Name: Jerrold
Date: October 17, 2007 at 04:48:02 Pacific

Reply:

OMG. I was checking something this morning and the virus showed up again. what do I do now. Thanks Jerrold

Response Number 12

Name: jabuck
Date: October 17, 2007 at 08:44:13 Pacific

Reply:

It has not left yet.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Response Number 13

Name: Jay Forrester
Date: October 17, 2007 at 10:07:13 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Wed 10/17/2007
The current time is: 11:42:55.21

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
09/26/2007 02:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\LEXMAR~1\BAK
01/16/2004 05:04 AM 57,344 lxbmbmgr.exe
1 File(s) 57,344 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
08/10/2004 01:04 PM 59,392 ehtray.exe
1 File(s) 59,392 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
10/08/2004 11:52 AM 221,184 LVCOMSX.exe
1 File(s) 221,184 bytes
Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
11/02/2004 10:24 PM 32,768 PDVDServ.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\LEXMAR~1\FAX\BAK
01/22/2004 10:59 AM 151,552 fm3032.exe
1 File(s) 151,552 bytes
Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK
10/08/2004 12:31 PM 458,752 ISStart.exe
10/08/2004 12:24 PM 217,088 LogiTray.exe
10/08/2004 12:06 PM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes
Directory of C:\PROGRA~1\MCAFEE\SPAMKI~1\BAK
09/26/2005 12:26 PM 110,592 MskAgent.exe
11/07/2006 02:49 PM 1,121,280 MSKDetct.exe
2 File(s) 1,231,872 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
09/22/2005 06:29 PM 303,104 mcagent.exe
01/11/2006 12:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
11/11/2005 05:00 PM 1,005,096 MpfTray.exe
1 File(s) 1,005,096 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\VSO\BAK
07/08/2005 06:18 PM 151,552 mcmnhdlr.exe
08/10/2005 02:49 PM 163,840 mcvsshld.exe
08/12/2005 12:02 AM 53,248 oasclnt.exe
3 File(s) 368,640 bytes
Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes
Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
03/09/2007 06:53 PM 153,136 NeroCheck.exe
1 File(s) 153,136 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
05/18/2007 11:58 AM 185,896 realsched.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 11:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytes
Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK
04/11/2007 08:44 AM 20,480 BackWeb-8876480.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
26636 Oct 10 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 27 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe"
116024 Sep 27 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe"
116288 Jun 9 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\APKPSJQB\iTunesSetupAdmin[1].exe"
26636 Oct 10 2007 "C:\Program Files\Lexmark 4200 Series\lxbmbmgr.exe"
57344 Jan 16 2004 "C:\Program Files\Lexmark 4200 Series\bak\lxbmbmgr.exe"
26636 Oct 10 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
26636 Oct 10 2007 "C:\WINDOWS\ehome\ehtray.exe"
59392 Aug 10 2004 "C:\WINDOWS\ehome\bak\ehtray.exe"
26636 Oct 10 2007 "C:\WINDOWS\system32\LVCOMSX.exe"
221184 Oct 8 2004 "C:\WINDOWS\system32\bak\LVCOMSX.exe"
26636 Oct 10 2007 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
32768 Nov 2 2004 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
26636 Oct 10 2007 "C:\Program Files\Lexmark 4200 Series\Fax\fm3032.exe"
151552 Jan 22 2004 "C:\Program Files\Lexmark 4200 Series\Fax\bak\fm3032.exe"
26636 Oct 10 2007 "C:\Program Files\Logitech\Video\ISStart.exe"
458752 Oct 8 2004 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
26636 Oct 10 2007 "C:\Program Files\Logitech\Video\LogiTray.exe"
217088 Oct 8 2004 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
26636 Oct 10 2007 "C:\Program Files\Logitech\Video\ManifestEngine.exe"
196608 Oct 8 2004 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee\SpamKiller\MskAgent.exe"
110592 Sep 26 2005 "C:\Program Files\McAfee\SpamKiller\bak\MskAgent.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe"
1121280 Nov 7 2006 "C:\Program Files\McAfee\SpamKiller\bak\MSKDetct.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\Agent\mcagent.exe"
303104 Sep 22 2005 "C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\Agent\mcupdate.exe"
212992 Jan 11 2006 "C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
1005096 Nov 11 2005 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\VSO\mcmnhdlr.exe"
151552 Jul 8 2005 "C:\Program Files\McAfee.com\VSO\bak\mcmnhdlr.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\VSO\mcvsshld.exe"
163840 Aug 10 2005 "C:\Program Files\McAfee.com\VSO\bak\mcvsshld.exe"
26636 Oct 10 2007 "C:\Program Files\McAfee.com\VSO\oasclnt.exe"
53248 Aug 12 2005 "C:\Program Files\McAfee.com\VSO\bak\oasclnt.exe"
26636 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
26636 Oct 10 2007 "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
153136 Mar 9 2007 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
26636 Oct 10 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185896 May 18 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 10 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
26636 Oct 10 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe"
20480 Apr 11 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\BackWeb-8876480.exe"

end of report

Response Number 14

Name: jabuck
Date: October 17, 2007 at 10:32:12 Pacific

Reply:

Jay Forrester, Please start a new thread of your own ans state the problem. Do not post any logs without being requested to do so, not my idea, forum rules.

Response Number 15

Name: Jerrold
Date: October 17, 2007 at 18:12:34 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2007-10-17
The current time is: 20:09:22.30

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
2007-09-14 10:00 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2007-06-29 06:24 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
2005-09-29 23:01 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
2005-07-23 00:14 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
2006-02-16 00:34 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
2005-02-16 23:11 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
2006-10-11 12:45 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
2007-06-08 09:59 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
2006-09-28 13:16 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
2007-07-12 04:00 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
2006-09-20 08:35 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Response Number 16

Name: jabuck
Date: October 17, 2007 at 18:47:26 Pacific

Reply:

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\ehome\bak\ehtray.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Response Number 17

Name: Jerrold
Date: October 17, 2007 at 19:32:05 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2007-10-17
The current time is: 21:29:35.32

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK
2007-09-14 10:00 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
2007-06-29 06:24 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\EHOME\BAK
2005-09-29 23:01 67,584 ehtray.exe
1 File(s) 67,584 bytes
Directory of C:\WINDOWS\SMINST\BAK
2005-07-23 00:14 237,568 RECGUARD.exe
1 File(s) 237,568 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
2006-02-16 00:34 249,856 HPBootOp.exe
1 File(s) 249,856 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
2005-02-16 23:11 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
2006-10-11 12:45 75,304 OpwareSE4.exe
1 File(s) 75,304 bytes
Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK
2007-06-08 09:59 224,248 SearchProtection.exe
1 File(s) 224,248 bytes
Directory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
2006-09-28 13:16 185,896 SSBkgdupdate.exe
1 File(s) 185,896 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
2007-07-12 04:00 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
2006-09-20 08:35 20,480 WrtMon.exe
1 File(s) 20,480 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Sep 18 2007 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
116024 Sep 18 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
64512 Aug 5 2005 "C:\WINDOWS\$NtUninstallKB908246$\ehtray.exe"
64512 Aug 5 2005 "C:\WINDOWS\ehome\ehtray.exe"
67584 Sep 29 2005 "C:\WINDOWS\ehome\bak\ehtray.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 23 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 16 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
75304 Oct 11 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
224248 Jun 8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
185896 Sep 28 2006 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe"
20480 Sep 20 2006 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\WrtMon.exe"

end of report

Response Number 18

Name: jabuck
Date: October 18, 2007 at 04:44:13 Pacific

Reply:

Option 3:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\ehome\bak
C:\WINDOWS\SMINST\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\ScanSoft\OmniPageSE4.0\bak
C:\Program Files\Yahoo!\Search Protection\bak
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Next Option 4.

Option 4:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue".

Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 19

Name: Jerrold
Date: October 18, 2007 at 19:30:38 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2007-10-18
The current time is: 7:23:35.36

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2007-10-18
The current time is: 21:20:17.23

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report

Response Number 20

Name: jabuck
Date: October 18, 2007 at 19:48:58 Pacific

Reply:

Much Better. How is the computer operating.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.

Response Number 21

Name: Jerrold
Date: October 19, 2007 at 18:33:18 Pacific

Reply:

Thanks guys it is working greeeeeeeat now. I downloaded spywareblaster and have it running.
Any ideas of were i should get a good security software? I know thats for another log. :) Thanks again. Jerrold

Response Number 22

Name: jabuck
Date: October 19, 2007 at 19:25:01 Pacific

Reply:

I run AVG fre antivirus, zone alarm free firewall, spywareblaster, and pop-up blocker and have very little problems. Keep windows updated and java updated. The key to me is to keep the updatable ones updated.
Glad we could help.

Response Number 23

Name: Jerrold
Date: October 21, 2007 at 09:42:59 Pacific

Reply:

1 more quick question. does spywareblaster start when I reboot of do I have to open it manually?

Response Number 24

Name: jabuck
Date: October 21, 2007 at 11:09:20 Pacific

Reply:

Spywareblaster runs in the background, you will not know that it is running. If any spyware attempts to enter the computer that it recognizes spywareblaster rewrites the script and renders it useless.
Remember, update it and check for updates weekly.

Sponsored Link

Ads by Google

backdoor:Win32 Zonebac.ge...

Can someone help me?

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Another b.whataboutadog.com virus

Help b.whataboutadog.com virus

Summary

www.computing.net/answers/security/help-bwhataboutadogcom-virus/21728.html

b.Whataboutadog virus

Summary

www.computing.net/answers/security/bwhataboutadog-virus/21710.html

Do I have whataboutadog.com virus?

Summary

www.computing.net/answers/security/do-i-have-whataboutadogcom-virus/21773.html

From the Geek Dictionary
HTML - HTML (HyperText Markup Language) is a display language document format that...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
Unable to download photos

cannot get a connection

unable to boot into windows

Wireless Security

Satelite modem blocking tcp, Icmp Open.

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE