Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Windows defender keeps finding Backdoor:Win32/Zonebac.B Only puts it in quarantine but does not really get rid of it Its there with every restart
Can post a hijack log if you can help
Please post your Hijack This log.
Please download FindAWL from this link FindAWF
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.
0 
My info
Logfile of HijackThis v1.99.1
Scan saved at 2:04:52 PM, on 11/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\bak\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\keyexp\KEYEXP.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/comcast.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.exe /P17 "EPSON PictureMate" /O6 "USB003" /M "PictureMate"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SHWired Helper] C:\WINDOWS\system32\spw.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\bak\mssysmgr.exe
O4 - HKCU\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe /P19 "EPSON Stylus CX6400" /M "Stylus CX6400" /EF "HKCU"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Keyboard Express 95.lnk = C:\Program Files\keyexp\KEYEXP.exe
O4 - Startup: Picaboo.lnk = C:\Program Files\Picaboo\Picaboo\PicabooMain.exe
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - c:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://*.hijackthis.de
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exeFind AWF report by noahdfear ©2006
Version 1.40The current date is: Sat 11/10/2007
The current time is: 13:24:38.93
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK02/02/2005 03:44 PM 61,440 KBD.exe
1 File(s) 61,440 bytesDirectory of C:\PROGRA~1\ITUNES\BAK
09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytesDirectory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytesDirectory of C:\PROGRA~1\ZINIO\BAK
12/14/2006 12:47 PM 1,003,590 ZinioDeliveryManager.exe
1 File(s) 1,003,590 bytesDirectory of C:\WINDOWS\SMINST\BAK
07/22/2005 05:14 PM 237,568 RECGUARD.exe
1 File(s) 237,568 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
08/03/2004 11:00 PM 15,360 ctfmon.exe
05/04/2007 01:57 PM 167,958 spw.exe
2 File(s) 183,318 bytesDirectory of C:\PROGRA~1\CANON\MYPRIN~1\BAK
03/21/2006 08:30 PM 1,191,936 BJMyPrt.exe
1 File(s) 1,191,936 bytesDirectory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK
09/13/2007 02:08 PM 421,888 avgcc.exe
1 File(s) 421,888 bytesDirectory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/15/2006 05:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytesDirectory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytesDirectory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
03/21/2006 01:19 PM 69,632 OpwareSE4.exe
1 File(s) 69,632 bytesDirectory of C:\PROGRA~1\SIBERS~1\AIROBO~1\BAK
10/06/2007 09:32 AM 160,592 RoboTaskBarIcon.exe
1 File(s) 160,592 bytesDirectory of C:\PROGRA~1\SONY\SONICS~1\BAK
11/02/2006 01:43 PM 472,632 SsAAD.exe
1 File(s) 472,632 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
07/27/2004 06:50 PM 221,184 ISUSPM.exe
1 File(s) 221,184 bytesDirectory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
08/17/2006 07:27 PM 180,269 realsched.exe
1 File(s) 180,269 bytesDirectory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/30/2003 12:14 AM 155,648 SSBkgdupdate.exe
1 File(s) 155,648 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytesDirectory of C:\PROGRA~1\SHUTTE~1\STUDIO\BIN\BAK
03/06/2007 01:05 PM 2,496,512 SFlyStudio.exe
1 File(s) 2,496,512 bytesDirectory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytesDirectory of C:\PROGRA~1\COMCAST\COMCAS~1\DATA\XTRAS\BAK
05/09/2005 06:16 PM 192,512 mssysmgr.exe
1 File(s) 192,512 bytesDirectory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
06/02/2003 10:00 PM 99,840 E_S4I2L1.exe
09/19/2003 02:00 AM 99,840 E_S4I2P1.exe
2 File(s) 199,680 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~26636 Oct 10 2007 "C:\hp\KBD\KBD.exe"
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.exe"
267048 Nov 2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 8 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 8 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
116008 Nov 8 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B41NN194\iTunesSetupAdmin[1].exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1003590 Dec 14 2006 "C:\Program Files\Zinio\bak\ZinioDeliveryManager.exe"
26636 Oct 10 2007 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
26636 Oct 10 2007 "C:\WINDOWS\system32\spw.exe"
167958 May 4 2007 "C:\WINDOWS\system32\bak\spw.exe"
26636 Oct 10 2007 "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe"
1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
579072 Oct 22 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 13 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
26636 Oct 10 2007 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
26636 Oct 10 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
26636 Oct 10 2007 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
69632 Mar 21 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
160592 Nov 3 2007 "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
160592 Oct 6 2007 "C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe"
26636 Oct 10 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
472632 Nov 2 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
26636 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
26636 Oct 10 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
26636 Oct 10 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 17 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
26636 Oct 10 2007 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
155648 Sep 30 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
26636 Oct 10 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
181883 Aug 9 2007 "C:\Program Files\Shutterfly\Studio\SFlyStudioUninstall.exe"
26636 Oct 10 2007 "C:\Program Files\Shutterfly\Studio\Bin\SFlyStudio.exe"
2496512 Mar 6 2007 "C:\Program Files\Shutterfly\Studio\Bin\bak\SFlyStudio.exe"
57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
26636 Oct 10 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
26636 Oct 10 2007 "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe"
192512 May 9 2005 "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
26636 Oct 10 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2L1.exe"
99840 Jun 2 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx64004d7f\E_S4I2L1.exe"
99840 Jun 2 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2L1.exe"
99840 Sep 19 2003 "C:\Program Files\EPSON\PrinterDriverTemp\PMATE\E_S4I2P1.exe"
26636 Oct 10 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2P1.exe"
99840 Sep 19 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonpicturemateda58\E_S4I2P1.exe"
99840 Sep 19 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2P1.exe"
end of report
0
Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options if present.
Once updated go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected.Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\hp\KBD\bak\KBD.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Zinio\bak\ZinioDeliveryManager.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\spw.exe"
"C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
"C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
"C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe"
"C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\Program Files\Shutterfly\Studio\Bin\bak\SFlyStudio.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2L1.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2P1.exe"
Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
Java updated
Old javas removed
files restored
New reportFind AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Sat 11/10/2007
The current time is: 15:11:26.10
bak folders found
~~~~~~~~~~~
Directory of C:\HP\KBD\BAK02/02/2005 03:44 PM 61,440 KBD.exe
1 File(s) 61,440 bytesDirectory of C:\PROGRA~1\ITUNES\BAK
09/26/2007 01:42 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytesDirectory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 05:24 AM 286,720 qttask.exe
1 File(s) 286,720 bytesDirectory of C:\PROGRA~1\ZINIO\BAK
12/14/2006 12:47 PM 1,003,590 ZinioDeliveryManager.exe
1 File(s) 1,003,590 bytesDirectory of C:\WINDOWS\SMINST\BAK
07/22/2005 05:14 PM 237,568 RECGUARD.exe
1 File(s) 237,568 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
08/03/2004 11:00 PM 15,360 ctfmon.exe
05/04/2007 01:57 PM 167,958 spw.exe
2 File(s) 183,318 bytesDirectory of C:\PROGRA~1\CANON\MYPRIN~1\BAK
03/21/2006 08:30 PM 1,191,936 BJMyPrt.exe
1 File(s) 1,191,936 bytesDirectory of C:\PROGRA~1\GRISOFT\AVGFRE~1\BAK
09/13/2007 02:08 PM 421,888 avgcc.exe
1 File(s) 421,888 bytesDirectory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK
02/15/2006 05:34 PM 249,856 HPBootOp.exe
1 File(s) 249,856 bytesDirectory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 10:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytesDirectory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
03/21/2006 01:19 PM 69,632 OpwareSE4.exe
1 File(s) 69,632 bytesDirectory of C:\PROGRA~1\SIBERS~1\AIROBO~1\BAK
10/06/2007 09:32 AM 160,592 RoboTaskBarIcon.exe
1 File(s) 160,592 bytesDirectory of C:\PROGRA~1\SONY\SONICS~1\BAK
11/02/2006 01:43 PM 472,632 SsAAD.exe
1 File(s) 472,632 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 02:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK
07/27/2004 06:50 PM 221,184 ISUSPM.exe
1 File(s) 221,184 bytesDirectory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
08/17/2006 07:27 PM 180,269 realsched.exe
1 File(s) 180,269 bytesDirectory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/30/2003 12:14 AM 155,648 SSBkgdupdate.exe
1 File(s) 155,648 bytesDirectory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytesDirectory of C:\PROGRA~1\SHUTTE~1\STUDIO\BIN\BAK
03/06/2007 01:05 PM 2,496,512 SFlyStudio.exe
1 File(s) 2,496,512 bytesDirectory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK
03/09/2007 10:09 AM 63,712 apdproxy.exe
1 File(s) 63,712 bytesDirectory of C:\PROGRA~1\COMCAST\COMCAS~1\DATA\XTRAS\BAK
05/09/2005 06:16 PM 192,512 mssysmgr.exe
1 File(s) 192,512 bytesDirectory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK
06/02/2003 10:00 PM 99,840 E_S4I2L1.exe
09/19/2003 02:00 AM 99,840 E_S4I2P1.exe
2 File(s) 199,680 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~61440 Feb 2 2005 "C:\hp\KBD\KBD.exe"
61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 8 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 8 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
116008 Nov 8 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\B41NN194\iTunesSetupAdmin[1].exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\qttask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
1003590 Dec 14 2006 "C:\Program Files\Zinio\ZinioDeliveryManager.exe"
1003590 Dec 14 2006 "C:\Program Files\Zinio\bak\ZinioDeliveryManager.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\RECGUARD.exe"
237568 Jul 22 2005 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 3 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
167958 May 4 2007 "C:\WINDOWS\system32\spw.exe"
167958 May 4 2007 "C:\WINDOWS\system32\bak\spw.exe"
1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\BJMyPrt.exe"
1191936 Mar 21 2006 "C:\Program Files\Canon\MyPrinter\bak\BJMyPrt.exe"
421888 Sep 13 2007 "C:\Program Files\Grisoft\AVG Free\avgcc.exe"
579072 Oct 22 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
421888 Sep 13 2007 "C:\Program Files\Grisoft\AVG Free\bak\avgcc.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
249856 Feb 15 2006 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
69632 Mar 21 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
69632 Mar 21 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
160592 Oct 6 2007 "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
160592 Oct 6 2007 "C:\Program Files\Siber Systems\AI RoboForm\bak\RoboTaskBarIcon.exe"
472632 Nov 2 2006 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
472632 Nov 2 2006 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
180269 Aug 17 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 17 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
155648 Sep 30 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
155648 Sep 30 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"
36975 Aug 26 2005 "C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
181883 Aug 9 2007 "C:\Program Files\Shutterfly\Studio\SFlyStudioUninstall.exe"
2496512 Mar 6 2007 "C:\Program Files\Shutterfly\Studio\Bin\SFlyStudio.exe"
2496512 Mar 6 2007 "C:\Program Files\Shutterfly\Studio\Bin\bak\SFlyStudio.exe"
57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
63712 Mar 9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
192512 May 9 2005 "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\mssysmgr.exe"
192512 May 9 2005 "C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\bak\mssysmgr.exe"
99840 Jun 2 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2L1.exe"
99840 Jun 2 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonstylus_cx64004d7f\E_S4I2L1.exe"
99840 Jun 2 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2L1.exe"
99840 Sep 19 2003 "C:\Program Files\EPSON\PrinterDriverTemp\PMATE\E_S4I2P1.exe"
99840 Sep 19 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I2P1.exe"
99840 Sep 19 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\epsonpicturemateda58\E_S4I2P1.exe"
99840 Sep 19 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\E_S4I2P1.exe"
end of report
0
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Zinio\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\Program Files\Canon\MyPrinter\bak
C:\Program Files\Grisoft\AVG Free\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Siber Systems\AI RoboForm\bak
C:\Program Files\Sony\SonicStage\bak
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak
C:\Program Files\Shutterfly\Studio\Bin\bak
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak
C:\Program Files\Comcast\Comcast PhotoShow 4\data\Xtras\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bakNext, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
Option 3 done Here are the logs
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Sat 11/10/2007
The current time is: 16:03:11.48
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\MESSEN~1\BAK0 File(s) 0 bytes
Directory of C:\PROGRA~1\SCANSOFT\OMNIPA~1.0\BAK
03/21/2006 01:19 PM 69,632 OpwareSE4.exe
1 File(s) 69,632 bytesDirectory of C:\PROGRA~1\COMMON~1\SCANSO~1\SSBKGD~1\BAK
09/30/2003 12:14 AM 155,648 SSBkgdupdate.exe
1 File(s) 155,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~69632 Mar 21 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
69632 Mar 21 2006 "C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe"
155648 Sep 30 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe"
155648 Sep 30 2003 "C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe"Disconnected from internet and Applied fix me reg file
Ran Combofix
Problem occured while running Combofix
message from AVG popped up saying virus threat in C\DOCUME~1\LOCALS~1\Temp|cjekoeqv.dllLog created
ComboFix 07-11-08.1 - Compaq_Owner 2007-11-10 16:36:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1396 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.2007-11-10 16:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 12:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 20:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-09 20:32 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-09 20:30 <DIR> d-------- C:\WINDOWS\Cache
2007-11-09 11:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ComcastToolbar(2)
2007-11-09 01:16 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-08 18:18 <DIR> d-------- C:\Program Files\iPod
2007-11-05 15:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-02 23:21 <DIR> d-------- C:\Program Files\Coupons
2007-11-02 23:21 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-11-02 11:20 <DIR> d-------- C:\WINDOWS\system32\autumnmemories_3113668 dir
2007-10-18 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-18 20:35 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-17 00:18 <DIR> d-------- C:\WINDOWS\system32\countryhalloween_3125141 dir
2007-10-17 00:18 520,192 --a------ C:\WINDOWS\system32\countryhalloween_3125141.scr.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 21:03 --------- d-----w C:\Program Files\Zinio
2007-11-10 21:03 --------- d-----w C:\Program Files\QuickTime
2007-11-10 21:03 --------- d-----w C:\Program Files\iTunes
2007-11-10 20:57 14,170 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-11-10 20:06 --------- d-----w C:\Program Files\Java
2007-11-10 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 03:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-10 03:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2007-10-21 16:54 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Avery Wizard 3.1
2007-10-20 17:26 --------- d-----w C:\Program Files\EvilLyrics
2007-10-16 23:44 --------- d-----w C:\Program Files\Picaboo
2007-10-10 04:55 --------- d-----w C:\Program Files\Google
2007-09-28 16:43 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Canon
2007-09-14 16:16 266,240 ----a-w C:\WINDOWS\system32\shxf.dll
2007-09-13 18:47 712,704 ----a-w C:\WINDOWS\system32\shph.dll
2007-09-13 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-09-12 14:21 --------- d-----w C:\Program Files\Apple Software Update
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-11-26 20:39 108,168 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-25 21:19 1,584,087 ----a-w C:\Program Files\bartender.exe
2006-09-12 23:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-09-16 22:20:49 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-09-20 20:20:03 88 --sh--r C:\WINDOWS\system32\5228233D93.sys
2006-09-20 20:20:03 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 155,648 2003-09-30 05:14:58 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
----a-w 155,648 2003-09-30 05:14:58 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe----a-w 69,632 2006-03-21 18:19:40 C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe
----a-w 69,632 2006-03-21 18:19:40 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 23:54 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 14:15]
"nwiz"="nwiz.exe" [2006-01-24 14:15 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [2005-07-22 17:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 17:34]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 14:08]
"KBD"="C:\HP\KBD\KBD.exe" [2005-02-02 15:44]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-17 19:27]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"EPSON PictureMate"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.exe" [2003-09-19 02:00]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\bak\mssysmgr.exe" []
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-06 09:32]C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Keyboard Express 95.lnk - C:\Program Files\keyexp\KEYEXP.exe [2006-09-06 22:45:01]
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-10-15 09:27:26]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-17 19:42:12]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 22:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 20:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-10 21:36:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 16:39:43
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-11-10 16:40:48
C:\ComboFix2.txt ... 2007-11-10 16:28
.
--- E O F ---
0
Sorry I ran Combo fix twice this is the first log
the second log I entered above is the one I ran after I got the AVG warning and had AVG delete the C\DOCUME~1\LOCALS~1\Temp|cjekoeqv.dllFIRST LOG
ComboFix 07-11-08.1 - Compaq_Owner 2007-11-10 16:20:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1378 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\silc_dll.dll
D:\Autorun.inf.
((((((((((((((((((((((((( Files Created from 2007-10-10 to 2007-11-10 )))))))))))))))))))))))))))))))
.2007-11-10 16:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 12:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 20:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-09 20:32 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-09 20:30 <DIR> d-------- C:\WINDOWS\Cache
2007-11-09 11:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ComcastToolbar(2)
2007-11-09 01:16 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-08 18:18 <DIR> d-------- C:\Program Files\iPod
2007-11-05 15:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-02 23:21 <DIR> d-------- C:\Program Files\Coupons
2007-11-02 23:21 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-11-02 11:20 <DIR> d-------- C:\WINDOWS\system32\autumnmemories_3113668 dir
2007-10-18 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-18 20:35 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-17 00:18 <DIR> d-------- C:\WINDOWS\system32\countryhalloween_3125141 dir
2007-10-17 00:18 520,192 --a------ C:\WINDOWS\system32\countryhalloween_3125141.scr.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 21:03 --------- d-----w C:\Program Files\Zinio
2007-11-10 21:03 --------- d-----w C:\Program Files\QuickTime
2007-11-10 21:03 --------- d-----w C:\Program Files\iTunes
2007-11-10 20:57 14,170 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-11-10 20:06 --------- d-----w C:\Program Files\Java
2007-11-10 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 03:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-10 03:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2007-10-21 16:54 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Avery Wizard 3.1
2007-10-20 17:26 --------- d-----w C:\Program Files\EvilLyrics
2007-10-16 23:44 --------- d-----w C:\Program Files\Picaboo
2007-10-10 04:55 --------- d-----w C:\Program Files\Google
2007-09-28 16:43 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Canon
2007-09-13 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-09-12 14:21 --------- d-----w C:\Program Files\Apple Software Update
2006-11-26 20:39 108,168 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-25 21:19 1,584,087 ----a-w C:\Program Files\bartender.exe
2006-09-12 23:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-09-16 22:20:49 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-09-20 20:20:03 88 --sh--r C:\WINDOWS\system32\5228233D93.sys
2006-09-20 20:20:03 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 155,648 2003-09-30 05:14:58 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
----a-w 155,648 2003-09-30 05:14:58 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdupdate.exe----a-w 69,632 2006-03-21 18:19:40 C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe
----a-w 69,632 2006-03-21 18:19:40 C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 23:54 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 14:15]
"nwiz"="nwiz.exe" [2006-01-24 14:15 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [2005-07-22 17:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 17:34]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 14:08]
"KBD"="C:\HP\KBD\KBD.exe" [2005-02-02 15:44]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-17 19:27]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"EPSON PictureMate"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.exe" [2003-09-19 02:00]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"SHWired Helper"="C:\WINDOWS\system32\spw.exe" [2007-05-04 13:57]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\bak\mssysmgr.exe" []
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-06 09:32]C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Keyboard Express 95.lnk - C:\Program Files\keyexp\KEYEXP.exe [2006-09-06 22:45:01]
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-10-15 09:27:26]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-17 19:42:12]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 22:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 20:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-10 21:26:32 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 16:23:49
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-11-10 16:28:36 - machine was rebooted
.
--- E O F ---
0
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe modeEmpty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
navigate to and delete these files if found:
C:\Program Files\ScanSoft\OmniPageSE4.0\bak\OpwareSE4.exe
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak\SSBkgdupdate.exe
Then navigate to and delete these folders if found:
C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\bak
C:\Program Files\ScanSoft\OmniPageSE4.0\bak
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Post a new Combofix log please.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
0
Followed directions restore and then for safe mode operation
deleted files and ran ATF
rebooted in normal mode and windows installer came up asking for installation disc for Omnipage
inserted disc and install finished
Ran Combofix in normal mode and threat warning from AVG again came up for
C\DOCUME~1\LOCALS~1\Temp|cjekoeqv.dll
had AVG delete it No more backdoor:Win32 Zonebac
ComboFix 07-11-08.1 - Compaq_Owner 2007-11-10 19:19:02.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1409 [GMT -5:00]
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.2007-11-10 16:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 12:44 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:43 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-09 20:51 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-11-09 20:32 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-11-09 20:30 <DIR> d-------- C:\WINDOWS\Cache
2007-11-09 11:36 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\ComcastToolbar(2)
2007-11-09 01:16 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-08 18:18 <DIR> d-------- C:\Program Files\iPod
2007-11-05 15:37 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-02 23:21 <DIR> d-------- C:\Program Files\Coupons
2007-11-02 23:21 31 --ah----- C:\WINDOWS\uccspecc.sys
2007-11-02 11:20 <DIR> d-------- C:\WINDOWS\system32\autumnmemories_3113668 dir
2007-10-18 21:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-18 20:35 <DIR> d-------- C:\WINDOWS\McAfee.com
2007-10-17 00:18 <DIR> d-------- C:\WINDOWS\system32\countryhalloween_3125141 dir
2007-10-17 00:18 520,192 --a------ C:\WINDOWS\system32\countryhalloween_3125141.scr.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 23:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-11-10 23:21 14,320 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\wklnhst.dat
2007-11-10 21:03 --------- d-----w C:\Program Files\Zinio
2007-11-10 21:03 --------- d-----w C:\Program Files\QuickTime
2007-11-10 21:03 --------- d-----w C:\Program Files\iTunes
2007-11-10 20:06 --------- d-----w C:\Program Files\Java
2007-11-10 19:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 03:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\AVG7
2007-10-21 16:54 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Avery Wizard 3.1
2007-10-20 17:26 --------- d-----w C:\Program Files\EvilLyrics
2007-10-16 23:44 --------- d-----w C:\Program Files\Picaboo
2007-10-10 04:55 --------- d-----w C:\Program Files\Google
2007-09-28 16:43 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\Canon
2007-09-14 16:16 266,240 ----a-w C:\WINDOWS\system32\shxf.dll
2007-09-13 18:47 712,704 ----a-w C:\WINDOWS\system32\shph.dll
2007-09-13 17:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-09-12 14:21 --------- d-----w C:\Program Files\Apple Software Update
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ----a-w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ----a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ----a-w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ----a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ----a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ----a-w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ----a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ----a-w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ----a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ----a-w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ----a-w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ----a-w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ----a-w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-11-26 20:39 108,168 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-09-25 21:19 1,584,087 ----a-w C:\Program Files\bartender.exe
2006-09-12 23:07 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2006-09-16 22:20:49 22 --sha-w C:\WINDOWS\SMINST\HPCD.sys
2006-09-20 20:20:03 88 --sh--r C:\WINDOWS\system32\5228233D93.sys
2006-09-20 20:20:03 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.((((((((((((((((((((((((((((( snapshot@2007-11-10_16.25.32.82 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-30 21:16:46 7,406 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\ARPPRODUCTICON.exe
+ 2007-11-11 00:13:45 7,406 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\ARPPRODUCTICON.exe
- 2007-01-30 21:16:46 49,152 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\NewShortcut14_27BC537B086D42E19CB39D115FA043BF.exe
+ 2007-11-11 00:13:46 49,152 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\NewShortcut14_27BC537B086D42E19CB39D115FA043BF.exe
- 2007-01-30 21:16:46 61,440 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\NewShortcut15_27BC537B086D42E19CB39D115FA043BF.exe
+ 2007-11-11 00:13:46 61,440 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\NewShortcut15_27BC537B086D42E19CB39D115FA043BF.exe
- 2007-01-30 21:16:46 65,536 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
+ 2007-11-11 00:13:45 65,536 ----a-r C:\WINDOWS\Installer\{29D851C2-048C-4B5E-8D1F-25D473342BB5}\Shortcut0.C3A146F5_4B48_11D5_A819_00B0D0428C0C.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-07 23:54 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-01-24 14:15]
"nwiz"="nwiz.exe" [2006-01-24 14:15 C:\WINDOWS\system32\nwiz.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [2005-07-22 17:14]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 17:34]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 14:08]
"KBD"="C:\HP\KBD\KBD.exe" [2005-02-02 15:44]
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 10:09]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 18:50]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-17 19:27]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 20:30]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 13:19]
"EPSON PictureMate"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.exe" [2003-09-19 02:00]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 22:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Comcast\COMCAS~1\data\Xtras\bak\mssysmgr.exe" []
"EPSON Stylus CX6400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.exe" [2003-06-02 22:00]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:00]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-11-02 13:43]
"RoboForm"="C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2007-10-06 09:32]C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Keyboard Express 95.lnk - C:\Program Files\keyexp\KEYEXP.exe [2006-09-06 22:45:01]
Picaboo.lnk - C:\Program Files\Picaboo\Picaboo\PicabooMain.exe [2007-10-15 09:27:26]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - C:\Program Files\Compaq Connections\5577497\Program\Compaq Connections.exe [2006-08-17 19:42:12]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2006-06-14 22:11:40]
KODAK Software Updater.lnk - C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe [2004-02-13 13:12:08]
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 20:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-11 00:18:57 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-10 19:22:12
Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-11-10 19:22:43
C:\ComboFix2.txt ... 2007-11-10 18:42
C:\ComboFix3.txt ... 2007-11-10 16:40
.
--- E O F ---
0
Looks better.
Go to this link, VirusTotal copy the following files one at the time into the "upload and scan box", click submit then post the results.
C:\WINDOWS\system32\shxf.dll
C:\WINDOWS\system32\shph.dll
C:\WINDOWS\system32\5228233D93.sys
0
I could not find 5228233D93.sys in my system 32 folder or anywhere on my computer the other 2 file results from Virus total
is as followsFile shxf.dll received on 11.11.2007 05:20:13 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 266240 bytes
MD5: c7b8a27e238b023ae7ac5b9d5a186f3f
SHA1: 52664d3f07f23de1204f44faf5932154cae097ea
File shph.dll received on 11.11.2007 05:28:36 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)
Additional information
File size: 712704 bytes
MD5: 3fe1744e7eecbb316a7f4a2f741977ec
SHA1: 69d05cb3d168d1524b8088c9592ac20ea26f491c
Oh I failed to mention the name the trojan that AVG found and put in virus vault
is Generic9.HLK path C\DOCUME~1\LOCALS~1\Temp|cjekoeqv.dll backup copy InfectedBy the way thanks so much for sharing your expertise and helping I really appreciate it
0
Set up the computer to view hidden files by going to start>control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside "hide extensions of known file types" and "hide protected system operating files">apply>ok.
Then see if you can find this file
C:\WINDOWS\system32\5228233D93.sys
Then run it in the Virus Total Scanner if you find it.
Open AVG> Virus vault> Action> Empty Vault.
0
found it!
File 5228233D93.sys received on 11.11.2007 06:14:33 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 0/32 (0%)AVG Virus vault is now empty
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
