Hi, My computer is recently troubled by this PSW trojan horse which I failed to remove using Ad-aware 6, Spybot and AVG Free 8.0. The problem returns even after removing the threat using AVG. I have read in this forum about the use of HJT to scan the computer. Help is needed and I kindly hope that anyone with the expertise in this can help me out. Thank you. Please inform me if there is a need for me to post the log. Thank you

Heya ZGMFX05A, Can you post your HJT log.

Hi btklwl, The below is my log. Thank you for your attention. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:50:58 PM, on 7/6/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exeac C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\WINDOWS\CTHELPER.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe C:\WINDOWS\system32\CTsvcCDA.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\PROGRA~1\AVG\AVG8\avgemc.exe C:\Program Files\Canon\CAL\CALMAIN.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\WgaTray.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - (no file) O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - (no file) O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: lofsdjbo.dll - {470165F1-9F65-569F-F895-F14F58F41074} - (no file) O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - (no file) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - (no file) O2 - BHO: mndshsrv.dll - {87FD640A-158F-48AC-FD14-1597F14A9778} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe O4 - HKLM\..\Run: [CTHelper] CTHELPER.exe O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.exe O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.doginhispen.com O15 - Trusted Zone: *.whataboutadog.com O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar... O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/1502... O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar... O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-7953bf3b33480434.spaces.... O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar... O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M... O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/1502... O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar... O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: SysCvCWm.dll,skqncbib.dll,akjsdkaq.dll,avgrsstx.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe -- End of file - 8952 bytes

Heya ZGMFX05A Download FindAWF to your desktop. Click here to download FindAWF Once the download has finished: 1) Double click FindAWF.exe to run it. 2) Press any key when prompted to continue. 3) When the menu appears select option 1 and press enter. 4) When the notepad document appears copy and paste the contents back here.

Hi, As instructed, the below is the notepad info. Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Mon 07/07/2008 The current time is: 10:58:15.09 bak folders found ~~~~~~~~~~~ Directory of C:\WINDOWS\BAK 05/11/2000 01:00 AM 90,112 UpdReg.exe 1 File(s) 90,112 bytes Directory of C:\PROGRA~1\DAEMON~1\BAK 08/29/2007 11:09 PM 171,464 daemon.exe 1 File(s) 171,464 bytes Directory of C:\PROGRA~1\ITUNES\BAK 09/07/2007 04:55 PM 267,064 iTunesHelper.exe 1 File(s) 267,064 bytes Directory of C:\PROGRA~1\MSNMES~1\BAK 0 File(s) 0 bytes Directory of C:\PROGRA~1\POWERISO\BAK 08/07/2007 08:05 AM 200,704 PWRISOVM.exe 1 File(s) 200,704 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 06/29/2007 06:24 AM 286,720 QTTask.exe 1 File(s) 286,720 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/04/2004 12:56 AM 15,360 ctfmon.exe 07/09/2001 10:50 AM 155,648 NeroCheck.exe 2 File(s) 171,008 bytes Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK 12/03/2002 06:06 PM 45,056 SBDrvDet.exe 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\CREATIVE\SPLASH~1\BAK 09/13/2002 01:04 AM 49,152 CTEaxSpl.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK 09/14/2007 07:18 PM 421,888 avgcc.exe 1 File(s) 421,888 bytes Directory of C:\PROGRA~1\HP\HPCORE~1\BAK 01/12/2005 02:54 PM 241,664 hpcmpmgr.exe 1 File(s) 241,664 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK 02/16/2005 11:11 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK 06/30/2003 08:56 PM 188,416 ISStart.exe 06/30/2003 09:00 PM 65,536 LogiTray.exe 2 File(s) 253,952 bytes Directory of C:\WINDOWS\IME\IMJP8_1\BAK 08/03/2004 10:32 PM 208,952 IMJPMIG.exe 1 File(s) 208,952 bytes Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK 11/24/2005 03:38 PM 94,208 NMBgMonitor.exe 1 File(s) 94,208 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 02/05/2006 01:27 AM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK 09/30/2002 01:00 AM 45,056 CTDVDDet.exe 1 File(s) 45,056 bytes Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK 10/29/2002 09:18 AM 49,152 CTSysVol.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK 07/12/2007 04:00 AM 132,496 jusched.exe 1 File(s) 132,496 bytes Directory of C:\PROGRA~1\SONYER~1\MOBILE2\APPLIC~1\BAK 0 File(s) 0 bytes Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK 08/03/2004 10:32 PM 455,168 TINTSETP.exe 1 File(s) 455,168 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.exe" 171464 Aug 29 2007 "C:\Program Files\DAEMON Tools\bak\daemon.exe" 267048 Mar 30 2008 "C:\Program Files\iTunes\iTunesHelper.exe" 267064 Sep 7 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Apr 4 2008 "C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe" 75048 Apr 4 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunesSetupAdmin.exe" 75048 Apr 4 2008 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8XW58445\iTunesSetupAdmin[1].exe" 116024 Sep 12 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FPYPGAUF\iTunesSetupAdmin[1].exe" 200704 Aug 7 2007 "C:\Program Files\PowerISO\bak\PWRISOVM.exe" 413696 Mar 28 2008 "C:\Program Files\QuickTime\QTTask.exe" 286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe" 15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe" 155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe" 45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" 49152 Sep 13 2002 "C:\Program Files\Creative\Splash Screen\bak\CTEaxSpl.exe" 421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" 241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 188416 Jun 30 2003 "C:\Program Files\Logitech\Video\bak\ISStart.exe" 65536 Jun 30 2003 "C:\Program Files\Logitech\Video\bak\LogiTray.exe" 208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\imjpmig.exe" 208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.exe" 94208 Nov 24 2005 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe" 180269 Feb 5 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.exe" 49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe" 49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" 36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" 75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" 49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" 83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" 36975 Nov 10 2005 "C:\Program Files\Java\jdk1.5.0_06\jre\bin\jusched.exe" 132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe" 455168 Aug 3 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe" 455168 Aug 3 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.exe" end of report

Heya ZGMFX05A, Temporarily disable any real-time protection until the infection is cleaned. Remember to turn any back on once we have finished. Click here for instructions to Temporarily Disable Real Time Monitoring Programs FindAWF 1) Double click FindAWF.exe 2) Press any key when prompted to continue. 3) When the menu appears select option 2 and press enter. 4) A text file will open called files.txt Click below the line and copy / paste the following Red text below of files to be restored: "C:\WINDOWS\bak\UpdReg.exe" "C:\Program Files\DAEMON Tools\bak\daemon.exe" "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\PowerISO\bak\PWRISOVM.exe" "C:\Program Files\QuickTime\bak\QTTask.exe" "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\bak\NeroCheck.exe" "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe" "C:\Program Files\Creative\Splash Screen\bak\CTEaxSpl.exe" "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe" "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\Logitech\Video\bak\ISStart.exe" "C:\Program Files\Logitech\Video\bak\LogiTray.exe" "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.exe" "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe" "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.exe" "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe" "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe" "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.exe" 5) Close the text document and click "Yes" to Save the changes Once files.txt is saved, FindAWF does the following: -Attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, FindAWF automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply. [Edit] Please post a fresh HJT log also [End Edit]