Win32/zonebac.b Keeps Coming Back

HP Pavilion 515n
October 26, 2007 at 12:16:36
Specs: Windows XP Home SP2, Intel Celeron 2.30 GHz CP

My antivirus software keeps finding Win32/zonebac.b trojan. It will remove it from the system but it returns each morning. I can't figure out what to do to get rid of it.

See More: Win32/zonebac.b Keeps Coming Back

Report •


#1
October 26, 2007 at 14:26:36

Please download and install the latest version of HijackThis v2.0.2:

Download the HijackThis Installer from this link: HijackThis

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Please download FindAWL from this link FindAWF

Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.


Report •

#2
October 27, 2007 at 07:13:32

Thank you for your quick reply. Below are the logs as requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:35 AM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'Default user')
O4 - .DEFAULT User Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - Startup: Works Calendar.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} - https://dtwx2.accuweather.com/tnpl_awda/client/download/TNPLDownloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/load...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgreens.com/Walgreen...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/inst...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/web/luxor...
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} -
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://www.winkflash.com/photo/load...
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uplo...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpc...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/be...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driver...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10086 bytes


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 10/27/2007
The current time is: 9:03:14.39


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\EARTHL~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/14/2002 12:42 AM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/24/2007 12:01 PM 182 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
11/02/2004 09:59 AM 126,976 hkcmd.exe
11/02/2004 10:03 AM 155,648 igfxtray.exe
10/16/2002 06:57 PM 81,920 ps2.exe
4 File(s) 379,904 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/10/2007 12:59 AM 115,816 ccApp.exe
1 File(s) 115,816 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

07/04/2007 07:17 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 08:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\RETROS~1\RETROS~1.0\BAK

09/11/2006 05:32 PM 9,371,648 RetroExpress.exe
1 File(s) 9,371,648 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

09/11/2006 04:40 AM 218,032 ISUSPM.exe
1 File(s) 218,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/13/2006 04:25 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

06/18/2002 02:11 AM 69,632 hpqcmon.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 5 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
247 Oct 8 2007 "C:\WINDOWS\system\hpsysdrv.dat"
182 Oct 24 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
28172 Oct 5 2007 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
28172 Oct 5 2007 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Oct 16 2002 "C:\hp\drivers\video\845\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\hkcmd.exe"
28172 Oct 5 2007 "C:\WINDOWS\system32\igfxtray.exe"
155648 Nov 2 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Oct 16 2002 "C:\hp\drivers\video\845\IGFXTRAY.EXE"
155648 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\igfxtray.exe"
155648 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\igfxtray.exe"
155648 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\igfxtray.exe"
28172 Oct 5 2007 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar4user.exe"
61440 Sep 14 2006 "C:\Program Files\Google\Google Earth\googleearth.exe"
28172 Oct 5 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 Mar 13 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
28172 Oct 5 2007 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
9371648 Sep 11 2006 "C:\Program Files\Retrospect\Retrospect Express HD 2.0\RetroExpress.exe"
9371648 Sep 11 2006 "C:\Program Files\Retrospect\Retrospect Express HD 2.0\bak\RetroExpress.exe"
28172 Oct 5 2007 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
28172 Oct 5 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
28172 Oct 5 2007 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
28172 Oct 5 2007 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28172 Oct 5 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report



Report •

#3
October 27, 2007 at 13:54:40

Update your java. Go to start> control panel> java> update> update now> uncheck/decline any google toolbar options.
Once updated go to control panel> add/remove programs and unistall all the other java versions on the computer except for the jre1.6.0_03 version you just installed. Those older version are one way you could have been infected.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:


"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\Retrospect\Retrospect Express HD 2.0\bak\RetroExpress.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.


Report •

Related Solutions

#4
October 28, 2007 at 07:41:21

Thank you for your help so far. It wasn't sure exactly how to tell which Java updates to remove. I had updates 1, 2 and 3 so I removed 1 & 2.


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sun 10/28/2007
The current time is: 9:27:04.54


bak folders found
~~~~~~~~~~~


Directory of C:\HP\BIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\EARTHL~1\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\SMINST\BAK

09/14/2002 12:42 AM 212,992 RECGUARD.EXE
1 File(s) 212,992 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/24/2007 12:01 PM 182 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 12:56 AM 15,360 ctfmon.exe
11/02/2004 09:59 AM 126,976 hkcmd.exe
11/02/2004 10:03 AM 155,648 igfxtray.exe
10/16/2002 06:57 PM 81,920 ps2.exe
4 File(s) 379,904 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/10/2007 12:59 AM 115,816 ccApp.exe
1 File(s) 115,816 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\BAK

07/04/2007 07:17 PM 68,856 GoogleToolbarNotifier.exe
1 File(s) 68,856 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK

04/17/2002 08:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\RETROS~1\RETROS~1.0\BAK

09/11/2006 05:32 PM 9,371,648 RetroExpress.exe
1 File(s) 9,371,648 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

09/11/2006 04:40 AM 218,032 ISUSPM.exe
1 File(s) 218,032 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

03/13/2006 04:25 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

12/02/2004 06:23 PM 102,400 CTDetect.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK

06/18/2002 02:11 AM 69,632 hpqcmon.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

212992 Sep 14 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
212992 Sep 14 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
182 Oct 24 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Oct 24 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Oct 16 2002 "C:\hp\drivers\video\845\HKCMD.EXE"
118784 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\hkcmd.exe"
114688 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\hkcmd.exe"
118784 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\hkcmd.exe"
155648 Nov 2 2004 "C:\WINDOWS\system32\igfxtray.exe"
155648 Nov 2 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Oct 16 2002 "C:\hp\drivers\video\845\IGFXTRAY.EXE"
155648 Feb 10 2004 "C:\WINDOWS\Drivers\Intel\Graphics\win2000\igfxtray.exe"
155648 Oct 16 2002 "C:\WINDOWS\system32\ReinstallBackups\0003\DriverFiles\igfxtray.exe"
155648 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0018\DriverFiles\igfxtray.exe"
155648 Aug 20 2004 "C:\WINDOWS\system32\ReinstallBackups\0022\DriverFiles\igfxtray.exe"
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE"
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
115816 Jan 10 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jan 31 2007 "C:\Program Files\Google\googletoolbar4user.exe"
61440 Sep 14 2006 "C:\Program Files\Google\Google Earth\googleearth.exe"
68856 Jul 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
559784 Mar 13 2006 "C:\Program Files\Common Files\Real\GToolbar\GoogleToolbarInstaller.exe"
138168 Jan 31 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
68856 Jul 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\bak\GoogleToolbarNotifier.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
9371648 Sep 11 2006 "C:\Program Files\Retrospect\Retrospect Express HD 2.0\RetroExpress.exe"
9371648 Sep 11 2006 "C:\Program Files\Retrospect\Retrospect Express HD 2.0\bak\RetroExpress.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
218032 Sep 11 2006 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
180269 Mar 13 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Mar 13 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
102400 Dec 2 2004 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report


Report •

#5
October 28, 2007 at 09:10:37

Option 3:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Google\GoogleToolbarNotifier\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\Retrospect\Retrospect Express HD 2.0\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak


Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.


Next Option 4.


Option 4:
Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Next,

Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.

Please download ComboFix to the desktop from this link:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

Please post the log it produces.


Report •

#6
October 28, 2007 at 19:39:54

Well, somewhere I messed up and my AWF post is not here. I did run step #3 and step #4 and did have a log at one point. All I can give you (unless you have a way to get the AWF log back) is my ComboFix log.

ComboFix 07-10-28.2 - Owner 2007-10-28 20:19:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.147 [GMT -5:00]Running from: C:\Documents and Settings\Owner.HOME\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191725774.old
C:\Program Files\WinBudget\bin\crap.1192627093.old
C:\Program Files\WinBudget\bin\crap.1193412101.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\WINDOWS\system32\nvrssk.dll
C:\WINDOWS\system32\nvrssl.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-29 )))))))))))))))))))))))))))))))
.

2007-10-28 20:18 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-27 08:55 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-25 00:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-25 00:39 <DIR> d-------- C:\Documents and Settings\Owner.HOME\Application Data\SUPERAntiSpyware.com
2007-10-25 00:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-25 00:38 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-25 00:32 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-10-24 13:37 <DIR> d-------- C:\Documents and Settings\Owner.HOME\Application Data\WinPatrol
2007-10-24 13:36 <DIR> d-------- C:\Program Files\BillP Studios
2007-10-24 11:53 110,592 --a------ C:\WINDOWS\system32\avgfwafu.dll
2007-10-24 11:53 9,216 --a------ C:\WINDOWS\system32\avgwlntf.dll
2007-10-24 08:50 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-20 12:15 <DIR> d-------- C:\Program Files\Western Digital Technologies
2007-10-13 00:08 <DIR> d-------- C:\Documents and Settings\Owner.HOME\Application Data\AVG7
2007-10-13 00:08 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-13 00:01 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-12 23:38 <DIR> d-------- C:\BAK-LIU
2007-10-10 18:08 <DIR> d-------- C:\Deckard
2007-10-09 17:55 <DIR> d-------- C:\Program Files\Windows Defender
2007-10-08 13:43 <DIR> d-------- C:\NSS
2007-10-04 08:17 <DIR> d-------- C:\Program Files\Retrospect
2007-10-04 08:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RetroExp
2007-10-04 07:54 339,968 --a------ C:\WINDOWS\system32\WDBtnMgr.exe
2007-10-04 07:37 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-10-04 07:37 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2007-10-04 07:36 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-04 07:36 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 01:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-28 14:19 --------- d-----w C:\Program Files\Java
2007-10-15 22:28 --------- d-----w C:\Program Files\Messenger Plus! 2
2007-10-11 15:56 --------- d-----w C:\Program Files\EarthLink TotalAccess
2007-10-10 23:01 --------- d-----w C:\Program Files\AWS
2007-10-09 22:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 20:40 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-03 20:40 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-09-09 14:10 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-08-29 17:03 --------- d-----w C:\Program Files\Ligos
2007-08-29 14:43 --------- d-----w C:\Documents and Settings\Owner.HOME\Application Data\U3
2003-12-14 05:34 4,952,816 ----a-w C:\Program Files\SetupDl.EXE
2003-08-09 19:57 684 ----a-w C:\Program Files\MIB2ROM.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-11-02 09:59]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 20:42]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-06-18 02:11]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 00:42]
"nwiz"="nwiz.exe" [2002-09-10 01:35 C:\WINDOWS\system32\nwiz.exe]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-11-02 10:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 11:52]
"RetroExpress"="C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe" [2006-09-11 17:32]
"WD Button Manager"="WDBtnMgr.exe" [2007-10-20 12:15 C:\WINDOWS\system32\WDBtnMgr.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-09-07 11:13]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"E6TaskPanel"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" [2005-09-01 15:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\User Account\Start Menu\Programs\Startup\
CCAPP.EXE.lnk - C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE [2007-10-28 09:26:54]
Script execution time was exceeded on script "C:\ComboFix\lnkread.vbs".
Script execution was terminated.

C:\Documents and Settings\Administrator.HOME\Start Menu\Programs\Startup\
CCAPP.EXE.lnk - C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE [2007-10-28 09:26:54]
WKCALREM.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 06:21:32]

C:\Documents and Settings\Owner.HOME\Start Menu\Programs\Startup\
Works Calendar.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-06-20 06:21:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
avgwlntf.dll 2007-10-24 11:53 9216 C:\WINDOWS\system32\avgwlntf.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E6TaskPanel]
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
"C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"AdobeActiveFileMonitor5.0"=2 (0x2)

R2 EarthLinkMonitor;EarthLink Monitor Service;"C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe"
S3 ADSFilter;ADSFilter - (Aluria Filter Driver);C:\WINDOWS\system32\DRIVERS\ADSFilter.sys
S3 BW2NDIS5;BW2NDIS5;C:\WINDOWS\system32\Drivers\BW2NDIS5.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command - D:\Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 09:00:04 C:\WINDOWS\Tasks\Disk Cleanup.job"
"2007-10-27 03:22:02 C:\WINDOWS\Tasks\EasyShare Registration Task.job"
"2007-10-29 01:32:37 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-28 20:31:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-28 20:40:54 - machine was rebooted
.
--- E O F ---


Report •

#7
October 29, 2007 at 14:15:47

Don't worry about the FindAWF log, some cleanup to do.

Please post a new Hijack This log.


Report •

#8
October 31, 2007 at 09:48:25

I noticed that there are still some references to Symantec in this log. I uninstalled Norton Internet Security about two weeks ago and installed AVG. I don't think I need to keep any of the Symantec stuff any longer.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:44 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.milwaukeemoms.com/for...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - .DEFAULT User Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'Default user')
O4 - .DEFAULT User Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - Startup: Works Calendar.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} - https://dtwx2.accuweather.com/tnpl_awda/client/download/TNPLDownloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/load...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgreens.com/Walgreen...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/inst...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/web/luxor...
O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} -
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://www.winkflash.com/photo/load...
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uplo...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpc...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/be...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driver...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10932 bytes


Report •

#9
October 31, 2007 at 15:31:30

Run Hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O2 - BHO: (no name) - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)

O2 - BHO: (no name) - {512ACF1B-64D9-4928-B382-A80556F28DB4} - (no file)

O2 - BHO: (no name) - {9579D574-D4D8-4335-9560-FE8641A013BD} - (no file)

O2 - BHO: (no name) - {E713904C-DF05-4C79-BBAD-02DB923253BE} - (no file)

O4 - .DEFAULT User Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'Default user')

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present Unless you set this.

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857D} -

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab

O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Exit Hijack This.

Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode

Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Post a new hijack This log please.


Report •

#10
November 1, 2007 at 09:36:18

Thank you for your help so far. The ATF-Cleaner took out a good amount of junk.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:17 AM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\PROGRA~1\RETROS~1\RETROS~1.0\retrospect.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [RetroExpress] C:\PROGRA~1\RETROS~1\RETROS~1.0\RetroExpress.exe /h
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'Default user')
O4 - .DEFAULT Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - .DEFAULT User Startup: CCAPP.EXE.lnk = C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE (User 'Default user')
O4 - .DEFAULT User Startup: WKCALREM.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Default user')
O4 - Startup: Works Calendar.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} - https://dtwx2.accuweather.com/tnpl_awda/client/download/TNPLDownloader.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - http://www.pcpitstop.com/pcpitstop/...
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash.com/photo/load...
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - http://photo.walgreens.com/Walgreen...
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/re...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/inst...
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.mumbojumbo.com/web/luxor...
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} - http://www.winkflash.com/photo/load...
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://photo.walmart.com/photo/uplo...
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpc...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave.com/content/be...
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://driveragent.com/files/driver...
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Retrospect Express HD Helper (RetroExp Helper) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - EMC Corporation - C:\PROGRA~1\RETROS~1\RETROS~1.0\retrorun.exe

--
End of file - 10530 bytes


Report •

#11
November 1, 2007 at 21:14:16

You can remove these items with Hijack This:

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab

Exit Hijack This.

Your log is clean.

Glad we could help.


Report •

#12
November 2, 2007 at 06:35:29

Items removed.

Thank you very much for all of your help. Following your directions gave me a virus free computer for the first time in a few weeks.

I will certainly refer others to your site.

Thanks again.


Report •

#13
November 2, 2007 at 14:50:18

Glad we could help.

Report •


Ask Question