Recently I have noticed whataboutadog.com in my IE history. Also, Symantec is catching a trojan zonebac but is not removing it. I am attaching an awf log. Any assistance is greatly appreciated. Find AWF report by noahdfear ©2006 Version 1.40 The current date is: Tue 11/06/2007 The current time is: 20:36:36.45 bak folders found ~~~~~~~~~~~ Directory of C:\HP\KBD\BAK 02/02/2005 04:44 PM 61,440 KBD.exe 1 File(s) 61,440 bytes Directory of C:\PROGRA~1\ITUNES\BAK 09/26/2007 01:42 PM 267,064 iTunesHelper.exe 1 File(s) 267,064 bytes Directory of C:\PROGRA~1\MIFB84~1\BAK 06/10/2005 03:21 AM 217,088 point32.exe 1 File(s) 217,088 bytes Directory of C:\PROGRA~1\SYMANT~1\BAK 11/15/2005 12:28 PM 85,744 VPTray.exe 1 File(s) 85,744 bytes Directory of C:\WINDOWS\SYSTEM\BAK 11/06/2007 07:50 PM 182 hpsysdrv.DAT 05/07/1998 05:04 PM 52,736 hpsysdrv.exe 2 File(s) 52,918 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 06/07/2004 07:42 PM 659,456 hphmon06.exe 1 File(s) 659,456 bytes Directory of C:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK 09/09/2005 01:18 AM 57,344 apdproxy.exe 1 File(s) 57,344 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 10/04/2005 11:42 AM 48,752 ccApp.exe 1 File(s) 48,752 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK 02/16/2005 11:11 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\SONY\SONICS~1\BAK 01/24/2005 06:58 PM 81,920 SsAAD.exe 1 File(s) 81,920 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe 1 File(s) 40,048 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/21/2004 07:39 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK 09/25/2007 12:11 AM 132,496 jusched.exe 1 File(s) 132,496 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 26636 Oct 19 2007 "C:\hp\KBD\KBD.exe" 61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.exe" 26636 Oct 19 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Sep 28 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe" 116024 Sep 28 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe" 26636 Oct 19 2007 "C:\Program Files\Microsoft IntelliPoint\point32.exe" 217088 Jun 10 2005 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe" 125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe" 85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe" 188 Oct 18 2007 "C:\WINDOWS\system\hpsysdrv.DAT" 182 Nov 6 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT" 26636 Oct 19 2007 "C:\WINDOWS\system\hpsysdrv.exe" 52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe" 26636 Oct 19 2007 "C:\WINDOWS\system32\hphmon06.exe" 659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe" 26636 Oct 19 2007 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" 57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe" 52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" 26636 Oct 19 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 26636 Oct 19 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe" 81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe" 26636 Oct 19 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_SL.exe" 40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" 26636 Oct 19 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" 49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" 49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" 75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" 83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" 132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" 26636 Oct 19 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" 132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe" end of report

Your java is out of date and can be exploited. Download the latest version of http://java.sun.com/javase/downloads/index.jsp Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. Check the box that says: "Accept License Agreement". The page will refresh. Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed . Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version. Please download and install the latest version of HijackThis v2.0.2: Download the HijackThis Installer from this link: HijackThis 1. Save " HJTInstall.exe" to your desktop. 2. Double click on HJTInstall.exe to run the program. 3. By default it will install to C:\Program Files\Trend Micro\HijackThis. 4. Accept the license agreement by clicking the "I Accept" button. 5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log. 6. Click "Save log" to save the log file and then the log will open in Notepad. 7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 8. Paste the log in your next reply. 9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required. Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 2 then Enter to restore files from bak folders A text file opens called: files.txt Click below the line and paste the following list of files to be restored: "C:\hp\KBD\bak\KBD.exe" "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe" "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe" "C:\WINDOWS\system\bak\hpsysdrv.DAT" "C:\WINDOWS\system\bak\hpsysdrv.exe" "C:\WINDOWS\system32\bak\hphmon06.exe" "C:\Program Files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe" "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe" "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe" Next, close and click Yes to save the changes. Once files.txt is saved, FindAWF does the following: -It attempts to terminate the process represented by each filename on the list, if running -Deletes the rogue file from the parent folder, if present -Copies the original file to the parent folder When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply.

Thank you for the quick response. I have updated the Java, ran a new HJT log and completed FindAWF option #2. The HJT and awf logs are below: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:51:54 PM, on 11/7/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16544) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Symantec AntiVirus\DefWatch.exe c:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Symantec AntiVirus\Rtvscan.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\PROGRA~1\SYMANT~1\VPTray.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\ATI Multimedia\main\ATIDtct.exe C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe c:\program files\internet explorer\iexplore.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.exe C:\Program Files\Internet Explorer\IEXPLORE.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin... R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin... R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin... O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.exe O4 - HKCU\..\Run: [ATI Remote Control] C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe O8 - Extra context menu item: &Search - O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: *.whataboutadog.com O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/... O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/h... O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/Walgreen... O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySp... O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedI... O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/res... O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/Div... O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active... O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/so... O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo... O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam... O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- End of file - 9796 bytes Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: Wed 11/07/2007 The current time is: 18:55:37.92 bak folders found ~~~~~~~~~~~ Directory of C:\HP\KBD\BAK 02/02/2005 04:44 PM 61,440 KBD.exe 1 File(s) 61,440 bytes Directory of C:\PROGRA~1\ITUNES\BAK 09/26/2007 01:42 PM 267,064 iTunesHelper.exe 1 File(s) 267,064 bytes Directory of C:\PROGRA~1\MIFB84~1\BAK 06/10/2005 03:21 AM 217,088 point32.exe 1 File(s) 217,088 bytes Directory of C:\PROGRA~1\SYMANT~1\BAK 11/15/2005 12:28 PM 85,744 VPTray.exe 1 File(s) 85,744 bytes Directory of C:\WINDOWS\SYSTEM\BAK 11/07/2007 05:03 PM 182 hpsysdrv.DAT 05/07/1998 05:04 PM 52,736 hpsysdrv.exe 2 File(s) 52,918 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 06/07/2004 07:42 PM 659,456 hphmon06.exe 1 File(s) 659,456 bytes Directory of C:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK 09/09/2005 01:18 AM 57,344 apdproxy.exe 1 File(s) 57,344 bytes Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK 10/04/2005 11:42 AM 48,752 ccApp.exe 1 File(s) 48,752 bytes Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK 02/16/2005 11:11 PM 49,152 HPWuSchd2.exe 1 File(s) 49,152 bytes Directory of C:\PROGRA~1\SONY\SONICS~1\BAK 01/24/2005 06:58 PM 81,920 SsAAD.exe 1 File(s) 81,920 bytes Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK 05/11/2007 02:06 AM 40,048 Reader_sl.exe 1 File(s) 40,048 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/21/2004 07:39 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK 09/25/2007 12:11 AM 132,496 jusched.exe 1 File(s) 132,496 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 61440 Feb 2 2005 "C:\hp\KBD\KBD.exe" 61440 Feb 2 2005 "C:\hp\KBD\bak\KBD.exe" 267064 Sep 26 2007 "C:\Program Files\iTunes\iTunesHelper.exe" 267064 Sep 26 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 102400 Sep 28 2007 "C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe" 116024 Sep 28 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.3.1\iTunesSetupAdmin.exe" 217088 Jun 10 2005 "C:\Program Files\Microsoft IntelliPoint\point32.exe" 217088 Jun 10 2005 "C:\Program Files\Microsoft IntelliPoint\bak\point32.exe" 125168 Sep 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe" 85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe" 182 Nov 7 2007 "C:\WINDOWS\system\hpsysdrv.DAT" 182 Nov 7 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT" 52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe" 52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe" 659456 Jun 7 2004 "C:\WINDOWS\system32\hphmon06.exe" 659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe" 57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" 57344 Sep 9 2005 "C:\Program Files\Adobe\Photoshop Elements 4.0\bak\apdproxy.exe" 52896 Jul 19 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" 48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" 49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe" 81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\SsAAD.exe" 81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe" 40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" 40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe" 180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" 180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" 132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe" end of report

Option 3: Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 3 then Enter to remove bak folders A text file opens called: folders.txt Click below the line and paste the following list of folders to be removed: C:\hp\KBD\bak C:\Program Files\iTunes\bak C:\Program Files\Microsoft IntelliPoint\bak C:\Program Files\Symantec AntiVirus\bak C:\WINDOWS\system\bakC:\WINDOWS\system\bak C:\WINDOWS\system32\bak C:\Program Files\Adobe\Photoshop Elements 4.0\bak C:\Program Files\Common Files\Symantec Shared\bak C:\Program Files\HP\HP Software Update\bak C:\Program Files\Sony\SonicStage\bak C:\Program Files\Adobe\Reader 8.0\Reader\bak C:\Program Files\Common Files\Real\Update_OB\bak C:\Program Files\Java\jre1.6.0_03\bin\bak Next, close and click Yes to save the changes. Once folders.txt is saved, FindAWF does the following: -It deletes the contents of the bak folders -Removes the bak folders When done with the above, it automatically runs a new scan and opens a new log. Please provide the new FindAWF log in your reply. Next Option 4. Option 4: Double-click the FindAWF icon once again If a Security Alert shows, allow the program to run. As instructed, press any key to continue. Use the following option: Press 4 then Enter to reset domain zones This removes all entries from the domain zones. When the program returns to the main menu, use the following option: Press E then Enter to EXIT Next, Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line. Save in: Desktop File Name: fixme.reg Save as Type: All files Click: Save XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX REGEDIT4 [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains] [-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges] XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Then, disconnect from the Internet! Next, Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information. Optional if the following programs are in your computer. Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed. Delete the fixme.reg file just created. Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/ComboFix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the log it produces.

Once again, thank you for the fast response. I have completed option 3 and posted the log below, completed option 4, completed fixme.reg (regedit4), re-enabled SpywareBlaster, Immunized with Spybot, deleted fixme.reg, completed Combofix and posted the log below. Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: Wed 11/07/2007 The current time is: 21:12:08.39 bak folders found ~~~~~~~~~~~ Directory of C:\WINDOWS\SYSTEM\BAK 11/07/2007 05:03 PM 182 hpsysdrv.DAT 05/07/1998 05:04 PM 52,736 hpsysdrv.exe 2 File(s) 52,918 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 182 Nov 7 2007 "C:\WINDOWS\system\hpsysdrv.DAT" 182 Nov 7 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT" 52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe" 52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe" end of report ComboFix 07-11-08.1 - HP_Owner 2007-11-07 21:23:07.4 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.540 [GMT -6:00] Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe * Created a new restore point . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-07 17:01 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-05 21:35 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-03 21:46 <DIR> d-------- C:\Documents and Settings\Bethany\Application Data\Grisoft 2007-11-03 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-03 17:02 <DIR> d-------- C:\Program Files\Symantec 2007-11-03 17:02 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-11-03 17:02 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-10-29 20:07 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared 2007-10-29 20:07 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll 2007-10-29 20:07 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys 2007-10-27 21:53 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-27 21:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-27 15:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-27 14:21 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6 2007-10-25 16:31 99,456,874 --a------ C:\SYM_REGISTRY_BACKUP.reg 2007-10-19 13:02 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Move Networks 2007-10-18 20:26 <DIR> d-------- C:\WINDOWS\system\bak 2007-10-11 20:50 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\LinkedIn . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 03:12 --------- d-----w C:\Program Files\Symantec AntiVirus 2007-11-08 03:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint 2007-11-08 03:12 --------- d-----w C:\Program Files\iTunes 2007-11-08 03:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-08 02:37 --------- d-----w C:\Program Files\SpywareBlaster 2007-11-07 23:01 --------- d-----w C:\Program Files\Java 2007-11-04 04:40 --------- d-----w C:\Program Files\SpywareDetector 2007-11-03 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll 2007-10-30 02:09 --------- d-----w C:\Program Files\Motorola Phone Tools 2007-10-30 02:08 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-10-30 02:08 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2007-10-30 02:05 --------- d-----w C:\Program Files\Avanquest update 2007-10-27 22:32 --------- d---a-w C:\Program Files\Common Files\LightScribe 2007-10-27 22:31 --------- d-----w C:\Program Files\ATI Multimedia 2007-10-27 19:55 --------- d-----w C:\Program Files\QuickTime 2007-09-29 04:51 --------- d-----w C:\Program Files\VideoraiPodConverter 2007-09-29 04:51 --------- d-----w C:\Program Files\AviSynth 2.5 2007-09-29 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-09-29 02:07 --------- d-----w C:\Program Files\DVD Decrypter 2007-09-29 02:02 --------- d-----w C:\Program Files\DVD Shrink 2007-09-29 01:27 --------- d-----w C:\Program Files\iPod 2007-09-29 01:23 --------- d-----w C:\Program Files\Apple Software Update 2007-09-08 18:41 --------- d-----w C:\Documents and Settings\Donna\Application Data\Walgreens 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-01-11 03:53 92,064 ----a-w C:\Documents and Settings\HP_Owner\mqdmmdm.sys 2007-01-11 03:53 9,232 ----a-w C:\Documents and Settings\HP_Owner\mqdmmdfl.sys 2007-01-11 03:53 79,328 ----a-w C:\Documents and Settings\HP_Owner\mqdmserd.sys 2007-01-11 03:53 66,656 ----a-w C:\Documents and Settings\HP_Owner\mqdmbus.sys 2007-01-11 03:53 6,208 ----a-w C:\Documents and Settings\HP_Owner\mqdmcmnt.sys 2007-01-11 03:53 5,936 ----a-w C:\Documents and Settings\HP_Owner\mqdmwhnt.sys 2007-01-11 03:53 4,048 ----a-w C:\Documents and Settings\HP_Owner\mqdmcr.sys 2007-01-11 03:53 25,600 ----a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys 2007-01-11 03:53 22,768 ----a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys 2006-07-29 20:10 410 ----a-w C:\Documents and Settings\HP_Owner\BHO-291510369.reg 2006-07-29 20:10 230 ----a-w C:\Documents and Settings\HP_Owner\TB-29151056.reg 2006-07-29 20:10 181 ----a-w C:\Documents and Settings\HP_Owner\TB-291510117.reg 2006-07-29 20:10 149 ----a-w C:\Documents and Settings\HP_Owner\BHO-291510256.reg 2006-07-29 20:09 5,489 ----a-w C:\Documents and Settings\HP_Owner\TB-29159487.reg 2006-07-29 20:09 4,459 ----a-w C:\Documents and Settings\HP_Owner\TB-29159396.reg . ((((((((((((((((((((((((((((( snapshot@2007-11-05_21.38.36.56 ))))))))))))))))))))))))))))))))))))))))) . - 2007-10-19 12:31:47 26,636 ----a-w C:\WINDOWS\system\hpsysdrv.exe + 1998-05-07 23:04:38 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe - 2007-10-19 12:31:47 26,636 ----a-w C:\WINDOWS\system32\hphmon06.exe + 2004-06-08 01:42:30 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe - 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe + 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe - 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe - 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2007-06-11 20:04:36 190,696 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe + 2007-11-07 21:32:58 48,749 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe . ((((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))))))))))))))))))))))))))))))))) . ----a-w 182 2007-11-07 23:03:03 C:\WINDOWS\system\bak\hpsysdrv.DAT ----a-w 182 2007-11-08 02:42:28 C:\WINDOWS\system\hpsysdrv.DAT ----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe ----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\hpsysdrv.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-21 19:39] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 18:58] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 03:21] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11] "KBD"="C:\HP\KBD\KBD.exe" [2005-02-02 16:44] "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] "ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.exe" [2005-06-14 21:49] "ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-05-10 16:21] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06] C:\WINDOWS\system32\hphmon06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys S2 JCPCUWSJ;JCPCUWSJ;\??\C:\WINDOWS\system32\jcpcuwsj.zxl S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.exe Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480 . Contents of the 'Scheduled Tasks' folder "2007-10-31 12:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2006-03-12 20:49:25 C:\WINDOWS\Tasks\XoftSpy.job" - C:\Program Files\XoftSpy\XoftSpy.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-07 21:24:28 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-07 21:25:11 C:\ComboFix2.txt ... 2007-11-06 20:42 C:\ComboFix3.txt ... 2007-11-06 20:07 . --- E O F ---

Please download ATF-Cleaner to your desktop from this link http://www.atribune.org/content/view/19/2/ We will need it later in safe mode Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok. Next, please reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, a menu with options should appear; Select the first option, to run Windows in Safe Mode, then press "Enter". Choose your usual account. From safe mode navigate to and delete these files if found: C:\WINDOWS\system\bak\hpsysdrv.DAT C:\WINDOWS\system\bak\hpsysdrv.exe From safe mode navigate to and delete this folder if found: C:\WINDOWS\system\bak Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. Post a new Combofix log please.

Downloaded ATF cleaner, restarted in safe mode, deleted the files and folder indicated, an ran ATF cleaner in safe mode. Restarted and ran ComboFixe (normal mode). Log attached below ComboFix 07-11-08.1 - HP_Owner 2007-11-07 22:09:02.5 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.558 [GMT -6:00] Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe . ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 ))))))))))))))))))))))))))))))) . 2007-11-07 17:01 <DIR> d-------- C:\Program Files\Common Files\Java 2007-11-05 21:35 51,200 --a------ C:\WINDOWS\NirCmd.exe 2007-11-03 21:46 <DIR> d-------- C:\Documents and Settings\Bethany\Application Data\Grisoft 2007-11-03 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-11-03 17:02 <DIR> d-------- C:\Program Files\Symantec 2007-11-03 17:02 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS 2007-11-03 17:02 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL 2007-10-29 20:07 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared 2007-10-29 20:07 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll 2007-10-29 20:07 21,504 --a------ C:\WINDOWS\system32\drivers\motmodem.sys 2007-10-27 21:53 <DIR> d-------- C:\Program Files\Trend Micro 2007-10-27 21:04 <DIR> d-------- C:\WINDOWS\BDOSCAN8 2007-10-27 15:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys 2007-10-27 14:21 <DIR> d-------- C:\Documents and Settings\HP_Owner\.housecall6.6 2007-10-25 16:31 99,456,874 --a------ C:\SYM_REGISTRY_BACKUP.reg 2007-10-19 13:02 <DIR> d-------- C:\Documents and Settings\Donna\Application Data\Move Networks 2007-10-11 20:50 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\LinkedIn . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2007-11-08 04:07 --------- d-----w C:\Program Files\Symantec AntiVirus 2007-11-08 03:12 --------- d-----w C:\Program Files\Microsoft IntelliPoint 2007-11-08 03:12 --------- d-----w C:\Program Files\iTunes 2007-11-08 03:12 --------- d-----w C:\Program Files\Common Files\Symantec Shared 2007-11-08 02:37 --------- d-----w C:\Program Files\SpywareBlaster 2007-11-07 23:01 --------- d-----w C:\Program Files\Java 2007-11-04 04:40 --------- d-----w C:\Program Files\SpywareDetector 2007-11-03 23:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec 2007-10-31 18:03 245,408 ----a-w C:\WINDOWS\system32\unicows.dll 2007-10-30 02:09 --------- d-----w C:\Program Files\Motorola Phone Tools 2007-10-30 02:08 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf 2007-10-30 02:08 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf 2007-10-30 02:05 --------- d-----w C:\Program Files\Avanquest update 2007-10-27 22:32 --------- d---a-w C:\Program Files\Common Files\LightScribe 2007-10-27 22:31 --------- d-----w C:\Program Files\ATI Multimedia 2007-10-27 19:55 --------- d-----w C:\Program Files\QuickTime 2007-09-29 04:51 --------- d-----w C:\Program Files\VideoraiPodConverter 2007-09-29 04:51 --------- d-----w C:\Program Files\AviSynth 2.5 2007-09-29 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink 2007-09-29 02:07 --------- d-----w C:\Program Files\DVD Decrypter 2007-09-29 02:02 --------- d-----w C:\Program Files\DVD Shrink 2007-09-29 01:27 --------- d-----w C:\Program Files\iPod 2007-09-29 01:23 --------- d-----w C:\Program Files\Apple Software Update 2007-09-08 18:41 --------- d-----w C:\Documents and Settings\Donna\Application Data\Walgreens 2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll 2007-01-11 03:53 92,064 ----a-w C:\Documents and Settings\HP_Owner\mqdmmdm.sys 2007-01-11 03:53 9,232 ----a-w C:\Documents and Settings\HP_Owner\mqdmmdfl.sys 2007-01-11 03:53 79,328 ----a-w C:\Documents and Settings\HP_Owner\mqdmserd.sys 2007-01-11 03:53 66,656 ----a-w C:\Documents and Settings\HP_Owner\mqdmbus.sys 2007-01-11 03:53 6,208 ----a-w C:\Documents and Settings\HP_Owner\mqdmcmnt.sys 2007-01-11 03:53 5,936 ----a-w C:\Documents and Settings\HP_Owner\mqdmwhnt.sys 2007-01-11 03:53 4,048 ----a-w C:\Documents and Settings\HP_Owner\mqdmcr.sys 2007-01-11 03:53 25,600 ----a-w C:\Documents and Settings\HP_Owner\usbsermptxp.sys 2007-01-11 03:53 22,768 ----a-w C:\Documents and Settings\HP_Owner\usbsermpt.sys 2006-07-29 20:10 410 ----a-w C:\Documents and Settings\HP_Owner\BHO-291510369.reg 2006-07-29 20:10 230 ----a-w C:\Documents and Settings\HP_Owner\TB-29151056.reg 2006-07-29 20:10 181 ----a-w C:\Documents and Settings\HP_Owner\TB-291510117.reg 2006-07-29 20:10 149 ----a-w C:\Documents and Settings\HP_Owner\BHO-291510256.reg 2006-07-29 20:09 5,489 ----a-w C:\Documents and Settings\HP_Owner\TB-29159487.reg 2006-07-29 20:09 4,459 ----a-w C:\Documents and Settings\HP_Owner\TB-29159396.reg . ((((((((((((((((((((((((((((( snapshot@2007-11-05_21.38.36.56 ))))))))))))))))))))))))))))))))))))))))) . - 2007-10-19 12:31:47 26,636 ----a-w C:\WINDOWS\system\hpsysdrv.exe + 1998-05-07 23:04:38 52,736 ----a-w C:\WINDOWS\system\hpsysdrv.exe - 2007-10-19 12:31:47 26,636 ----a-w C:\WINDOWS\system32\hphmon06.exe + 2004-06-08 01:42:30 659,456 ----a-w C:\WINDOWS\system32\hphmon06.exe - 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe + 2007-09-25 04:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe - 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe + 2007-09-25 04:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe - 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2007-09-25 05:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe + 2007-06-11 20:04:36 190,696 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9d.exe + 2007-11-07 21:32:58 48,749 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 17:04] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-10-21 19:39] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 18:58] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 01:18] "IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 03:21] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11] "KBD"="C:\HP\KBD\KBD.exe" [2005-02-02 16:44] "HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 19:42] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 18:26] "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 19:33] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00] "ATI DeviceDetect"="C:\Program Files\ATI Multimedia\main\ATIDtct.exe" [2005-06-14 21:49] "ATI Remote Control"="C:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2005-05-10 16:21] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk backup=C:\WINDOWS\pss\HP Image Zone Fast Start.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk backup=C:\WINDOWS\pss\Updates from HP.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG] AGRSMMSG.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd] ALCWZRD.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06] C:\WINDOWS\system32\hphmon06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan] SOUNDMAN.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;C:\WINDOWS\system32\drivers\aticxcap.sys R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);C:\WINDOWS\system32\drivers\aticxtun.sys R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;C:\WINDOWS\system32\drivers\aticxxbr.sys S2 JCPCUWSJ;JCPCUWSJ;\??\C:\WINDOWS\system32\jcpcuwsj.zxl S3 ComFiltr;Panda Anti-Dialer;\??\C:\WINDOWS\system32\DRIVERS\COMFiltr.sys S3 KMW_KBD;Kensington Input Devices Class filter driver;C:\WINDOWS\system32\DRIVERS\KMW_KBD.sys S3 KMW_USB;Kensington MouseWorks USB filter driver;C:\WINDOWS\system32\DRIVERS\KMW_USB.sys S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys . Contents of the 'Scheduled Tasks' folder "2007-10-31 12:44:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" "2006-03-12 20:49:25 C:\WINDOWS\Tasks\XoftSpy.job" - C:\Program Files\XoftSpy\XoftSpy.exe . ************************************************************************** catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2007-11-07 22:11:13 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . Completion time: 2007-11-07 22:11:49 C:\ComboFix2.txt ... 2007-11-07 21:25 C:\ComboFix3.txt ... 2007-11-06 20:42 . --- E O F ---