Zonebac.gen1 infection

Computing.Net > Forums > Security and Virus > Zonebac.gen1 infection

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Zonebac.gen1 infection

Name: chrisbrad25110
Date: January 7, 2008 at 17:56:53 Pacific
OS: XP SP2
CPU/Ram: AMD / 512 mb
Product: HP pavilion 523n

Comment:

My security software stopped working and when I sent diagnostics in I was told I have a zonebac.gen1 infection. The suggestion I got to clean it didn't work. Does anyone know how to get rid of this?

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: January 7, 2008 at 18:58:39 Pacific

Reply:

Please download FindAWF from the following link:
http://noahdfear.net/downloads/FindAWF.exe
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 2

Name: chrisbrad25110
Date: January 7, 2008 at 19:22:29 Pacific

Reply:

When I attempt to get to link referenced, I get message it doesn't exist. Using search I found noahdfear.geekstogo.com but don't see option to download findawf.exe. Ideas?

Response Number 3

Name: jabuck
Date: January 7, 2008 at 19:46:33 Pacific

Reply:

Download FindAWF.exe from this link:
http://noahdfear.geekstogo.com/FindAWF.exe

Response Number 4

Name: chrisbrad25110
Date: January 9, 2008 at 16:15:45 Pacific

Reply:

I have run this twice and both times it ran ~18 hours and then quit without producing the AWF.txt file. Any other suggestions?

Response Number 5

Name: jabuck
Date: January 9, 2008 at 18:52:31 Pacific

Reply:

Go to the this link http://wiki.castlecops.com/Malware_... Follow thei directions to disable any realtime protection that you have as it will reinstall the corrupt files. Once you finish these scans turn the realtime protection back on if you have any.
Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download ComboFix to the desktop from this link: ComboFix

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

AutoPlay.exe migwiz your computer is infected	your computer is infected userinit.exe infected svchost exe infected
See More

Response Number 6

Name: chrisbrad25110
Date: January 13, 2008 at 12:10:13 Pacific

Reply:

from HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:04 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\spider.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - (no file)
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [hoadgbw] C:\WINDOWS\kjberup.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://home.peoplepc.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fsc...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcapl...
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11317 bytes
working on ComboFix now...

Response Number 7

Name: chrisbrad25110
Date: January 13, 2008 at 15:17:19 Pacific

Reply:

combofix log:
ComboFix 08-01-09.2 - Owner 2008-01-13 14:11:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.143 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1191432921.old
C:\Program Files\WinBudget\bin\crap.1192296491.old
C:\Program Files\WinBudget\bin\crap.1193363100.old
C:\Program Files\WinBudget\bin\crap.1194014344.old
C:\Program Files\WinBudget\bin\crap.1194648749.old
C:\Program Files\WinBudget\bin\crap.1195257729.old
C:\Program Files\WinBudget\bin\crap.1195870885.old
C:\Program Files\WinBudget\bin\crap.1198525019.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1192296490.old
C:\Program Files\WinBudget\bin\matrix.dll.1193363099.old
C:\Program Files\WinBudget\bin\matrix.dll.1194014343.old
C:\Program Files\WinBudget\bin\matrix.dll.1194648748.old
C:\Program Files\WinBudget\bin\matrix.dll.1195257727.old
C:\Program Files\WinBudget\bin\matrix.dll.1195870883.old
C:\Program Files\WinBudget\bin\matrix.dll.1198525017.old
.
((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.
2008-01-13 14:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 18:22 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-27 18:22 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-27 18:22 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-27 18:22 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-27 18:22 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-27 18:22 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-27 18:22 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-27 18:22 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-27 18:21 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-27 17:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-25 22:50 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-25 22:50 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-25 22:50 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-25 20:39 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 19:39 . 2007-11-01 05:42 57,824 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-25 19:39 . 2007-11-01 05:42 36,768 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-25 17:33 . 2007-12-27 18:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-25 10:46 . 2007-12-25 11:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-24 13:41 . 2007-12-24 13:41 15 --a------ C:\WINDOWS\E60C-BD06-2E6B-03FB.dat
2007-12-20 21:07 . 2007-12-25 14:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 18:18 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 00:04 --------- d-----w C:\Program Files\QuickTime
2008-01-07 01:19 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-12-26 04:57 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-12-26 04:57 --------- d-----w C:\Program Files\iTunes
2007-12-26 01:42 --------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-12-26 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-26 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-12-25 21:34 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2001-07-07 04:56:56 C:\hp\KBD\bak\KBD.exe
----a-w 53,248 2003-08-18 23:46:48 C:\Program Files\Fellowes\MediaFACE 4.0\bak\SetHook.exe
----a-w 69,632 2002-06-18 06:11:24 C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe
----a-w 69,632 2002-04-18 00:42:56 C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe
----a-w 256,576 2006-10-30 15:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 389,120 2006-04-03 02:07:44 C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe
----a-w 473,928 2005-07-12 20:35:18 C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe
----a-w 28,176 2007-10-03 17:27:41 C:\Program Files\QuickTime\bak\QTTASK.0XE
----a-w 24,080 2007-08-23 03:14:20 C:\Program Files\QuickTime\QTTASK.0XE
----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\bak\qttask.exe
----a-w 282,624 2006-10-26 00:58:18 C:\Program Files\QuickTime\bak\bak\qttask.exe
----a-w 60 2007-12-11 18:02:08 C:\Program Files\Real\RealPlayer\bak\channels.xml
----a-w 3,775 2006-11-27 03:22:38 C:\Program Files\Real\RealPlayer\channels.xml
----a-w 26,112 2002-10-10 23:02:50 C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
----a-w 155,648 2002-05-09 15:01:00 C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe
----a-w 86,016 2002-06-08 08:20:44 C:\Program Files\WildTangent\DDC\ActiveMenu\bak\DDCActiveMenu.exe
----a-w 122,880 2002-06-08 08:18:40 C:\Program Files\WildTangent\DDC\DDCManager\bak\DDCMan.exe
----a-w 122,929 2005-10-26 01:51:58 C:\RECYCLER\S-1-5-21-3615762775-782189750-1497286466-1003\Dc15\bak\FSM32.exe
----a-w 372,736 2005-10-18 08:29:10 C:\RECYCLER\S-1-5-21-3615762775-782189750-1497286466-1003\Dc17\bak\FSSW.exe
----a-w 356,352 2005-05-31 12:45:06 C:\RECYCLER\S-1-5-21-3615762775-782189750-1497286466-1003\Dc17\bak\ispnews.exe
----a-w 700,416 2005-07-18 14:51:18 C:\RECYCLER\S-1-5-21-3615762775-782189750-1497286466-1003\Dc20\bak\TNBUtil.exe
----a-w 158,208 2004-08-04 07:56:53 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe
----a-w 158,208 2004-08-04 07:56:53 C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe
----a-w 212,992 2001-12-19 06:39:26 C:\WINDOWS\SMINST\bak\RECGUARD.exe
----a-w 182 2007-11-14 04:12:51 C:\WINDOWS\system\bak\hpsysdrv.DAT
----a-w 188 2007-08-23 03:55:40 C:\WINDOWS\system\hpsysdrv.DAT
----a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\system\bak\hpsysdrv.exe
----a-w 114,688 2002-05-15 10:20:50 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2002-05-15 10:29:02 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 81,920 2002-06-14 23:39:38 C:\WINDOWS\system32\bak\ps2.exe
----a-w 106,549 2002-07-16 15:03:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"uoltray"="C:\Program Files\NetZero\exec.exe" [ ]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [ ]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [ ]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [2006-10-25 18:58 282624]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"nwiz"="nwiz.exe" [2002-05-03 18:06 364544 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="NvQTwk" []
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"KBD"="C:\HP\KBD\KBD.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"hoadgbw"="C:\WINDOWS\kjberup.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"DDCM"="C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" [ ]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [ ]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2006-11-28 21:42:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FSMA"=2 (0x2)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Charter High-Speed Security Suite\HIPS\fshs.sys [2007-11-01 05:42]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62bf8ec-b303-11dc-ac61-00038a000015}]
\Shell\AutoRun\command - H:\.\MigWiz\migsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62bf8ee-b303-11dc-ac61-00038a000015}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 04:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-08-02 01:44:59 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1049423422.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-07-06 20:22:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 15:07:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-13 16:52:40
ComboFix-quarantined-files.txt 2008-01-13 22:52:34
.
2007-12-28 00:31:19 --- E O F ---

Response Number 8

Name: jabuck
Date: January 13, 2008 at 18:30:38 Pacific

Reply:

Please try thes "FindAWF" links again and if they will work post the results from option #1.

Response Number 9

Name: jabuck
Date: January 13, 2008 at 19:07:59 Pacific

Reply:

I see the trojan blocking some of your ports which is most likely why you cannot access the FindAWF tool site.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\kjberup.exe
C;\WINDOWS\wovax.exe
C:\WINDOWS\Xhrmy.exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hoadgbw"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\E60C-BD06-2E6B-03FB.dat

Post the results in your reply along with the new combofix log.
Then restart the computer
and try the FindAWF links.

Response Number 10

Name: chrisbrad25110
Date: January 17, 2008 at 04:34:02 Pacific

Reply:

here is log from combofix process - I will do next step tonight
ComboFix 08-01-09.2 - Owner 2008-01-16 21:28:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.164 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\kjberup.exe
C:\WINDOWS\Xhrmy.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.
2008-01-13 14:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 18:22 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-27 18:22 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-27 18:22 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-27 18:22 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-27 18:22 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-27 18:22 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-27 18:22 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-27 18:22 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-27 18:21 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-27 17:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-25 22:50 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-25 22:50 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-25 22:50 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-25 20:39 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 19:39 . 2007-11-01 05:42 57,824 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-25 19:39 . 2007-11-01 05:42 36,768 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-25 17:33 . 2007-12-27 18:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-25 10:46 . 2007-12-25 11:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-24 13:41 . 2007-12-24 13:41 15 --a------ C:\WINDOWS\E60C-BD06-2E6B-03FB.dat
2007-12-20 21:07 . 2007-12-25 14:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 18:18 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-08 00:04 --------- d-----w C:\Program Files\QuickTime
2008-01-07 01:19 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-12-26 04:57 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2007-12-26 04:57 --------- d-----w C:\Program Files\iTunes
2007-12-26 01:42 --------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-12-26 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-26 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-12-25 21:34 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-13_15.56.38.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-13 20:11:11 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
+ 2008-01-17 03:27:24 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000001\NTUSER.DAT
- 2008-01-13 20:11:11 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
+ 2008-01-17 03:27:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000002\UsrClass.dat
- 2008-01-13 20:11:11 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
+ 2008-01-17 03:27:25 237,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000003\NTUSER.DAT
- 2008-01-13 20:11:12 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
+ 2008-01-17 03:27:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000004\UsrClass.dat
- 2008-01-13 20:11:13 4,567,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
+ 2008-01-17 03:27:25 4,567,040 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000005\NTUSER.DAT
- 2008-01-13 20:11:13 131,072 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
+ 2008-01-17 03:27:25 131,072 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\[u]0[/u]0000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"uoltray"="C:\Program Files\NetZero\exec.exe" [ ]
"EasyLinkAdvisor"="C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" [ ]
"SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTPreset"="VTPreset.exe" [2004-02-24 20:17 45056 C:\WINDOWS\system32\VTPreset.exe]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [ ]
"Share-to-Web Namespace Daemon"="c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\bak\bak\qttask.exe" [2006-10-25 18:58 282624]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"nwiz"="nwiz.exe" [2002-05-03 18:06 364544 C:\WINDOWS\system32\nwiz.exe]
"NvCplDaemon"="NvQTwk" []
"MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 08:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"KBD"="C:\HP\KBD\KBD.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"DDCM"="C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" [ ]
"DDCActiveMenu"="C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" [ ]
"CamMonitor"="c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2007-11-01 05:42 182936]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2007-11-01 05:42 739936]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Charter High-Speed Security Suite.lnk - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe [2006-11-28 21:42:00]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FSMA"=2 (0x2)
R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys [2007-11-01 05:42]
R1 F-Secure HIPS;F-Secure HIPS;C:\Program Files\Charter High-Speed Security Suite\HIPS\fshs.sys [2007-11-01 05:42]
R2 BackWeb Plug-in - 3528733;Charter High-Speed Security Suite;C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe [2006-11-28 21:41]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys [2007-11-01 05:42]
S4 F-Secure Filter;F-Secure File System Filter;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys [2007-11-01 05:42]
S4 F-Secure Recognizer;F-Secure File System Recognizer;C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys [2007-11-01 05:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62bf8ec-b303-11dc-ac61-00038a000015}]
\Shell\AutoRun\command - H:\.\MigWiz\migsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e62bf8ee-b303-11dc-ac61-00038a000015}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 04:06:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2003-08-02 01:44:59 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1049423422.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2003-07-06 20:22:38 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-16 21:55:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-16 22:17:26
ComboFix-quarantined-files.txt 2008-01-17 04:17:19
ComboFix2.txt 2008-01-13 22:52:43
.
2007-12-28 00:31:19 --- E O F ---

Response Number 11

Name: chrisbrad25110
Date: January 17, 2008 at 17:36:16 Pacific

Reply:

Below is result from Virus Total upload.
File E60C-BD06-2E6B-03FB.dat received on 01.18.2008 02:31:15 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.18.10 2008.01.17 -
AntiVir 7.6.0.48 2008.01.17 -
Authentium 4.93.8 2008.01.17 -
Avast 4.7.1098.0 2008.01.17 -
AVG 7.5.0.516 2008.01.17 -
BitDefender 7.2 2008.01.18 -
CAT-QuickHeal 9.00 2008.01.17 -
ClamAV 0.91.2 2008.01.17 -
DrWeb 4.44.0.09170 2008.01.17 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5467 2008.01.17 -
Ewido 4.0 2008.01.17 -
FileAdvisor 1 2008.01.18 -
Fortinet 3.14.0.0 2008.01.18 -
F-Prot 4.4.2.54 2008.01.17 -
F-Secure 6.70.13260.0 2008.01.17 -
Ikarus T3.1.1.20 2008.01.18 -
Kaspersky 7.0.0.125 2008.01.18 -
McAfee 5210 2008.01.17 -
Microsoft 1.3109 2008.01.18 -
NOD32v2 2803 2008.01.18 -
Norman 5.80.02 2008.01.17 -
Panda 9.0.0.4 2008.01.17 -
Prevx1 V2 2008.01.18 -
Rising 20.27.31.00 2008.01.17 -
Sophos 4.24.0 2008.01.18 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.18 -
TheHacker 6.2.9.189 2008.01.17 -
VBA32 3.12.2.5 2008.01.15 -
VirusBuster 4.3.26:9 2008.01.17 -
Webwasher-Gateway 6.6.2 2008.01.17 -
Additional information
File size: 15 bytes
MD5: 40fe24ef278f6d990180de77b08d21b0
SHA1: f780e33d0cccde09d442839c8a9072cdc69aa8a8
PEiD: -

Response Number 12

Name: chrisbrad25110
Date: January 17, 2008 at 18:09:42 Pacific

Reply:

it ran! results below
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Thu 01/17/2008
The current time is: 20:04:52.92

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\HP\KBD\BAK
07/06/2001 10:56 PM 61,440 KBD.exe
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes
Directory of C:\PROGRA~1\LINKSY~1\BAK
04/02/2006 08:07 PM 389,120 LinksysAgent.exe
1 File(s) 389,120 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MICROS~3\BAK
07/12/2005 02:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
10/03/2007 11:27 AM 28,176 QTTASK.0XE
1 File(s) 28,176 bytes
Directory of C:\WINDOWS\SMINST\BAK
12/19/2001 12:39 AM 212,992 RECGUARD.exe
1 File(s) 212,992 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
11/13/2007 10:12 PM 182 hpsysdrv.DAT
05/07/1998 05:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
05/15/2002 04:20 AM 114,688 hkcmd.exe
05/15/2002 04:29 AM 155,648 igfxtray.exe
06/14/2002 05:39 PM 81,920 ps2.exe
3 File(s) 352,256 bytes
Directory of C:\PROGRA~1\FELLOWES\MEDIAF~1.0\BAK
08/18/2003 05:46 PM 53,248 SetHook.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK
04/17/2002 06:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK
10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REAL\REALPL~1\BAK
12/11/2007 12:02 PM 60 channels.xml
10/10/2002 05:02 PM 26,112 RealPlay.exe
2 File(s) 26,172 bytes
Directory of C:\PROGRA~1\VERITA~1\UPDATE~1\BAK
05/09/2002 09:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes
Directory of C:\WINDOWS\SYSTEM32\DLA\BAK
07/16/2002 09:03 AM 106,549 tfswctrl.exe
1 File(s) 106,549 bytes
Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK
06/18/2002 12:11 AM 69,632 hpqcmon.exe
1 File(s) 69,632 bytes
Directory of C:\PROGRA~1\WILDTA~1\DDC\ACTIVE~1\BAK
06/08/2002 02:20 AM 86,016 DDCActiveMenu.exe
1 File(s) 86,016 bytes
Directory of C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\BAK
06/08/2002 02:18 AM 122,880 DDCMan.exe
1 File(s) 122,880 bytes
Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK
08/04/2004 01:56 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
389632 Apr 2 2006 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
389120 Apr 2 2006 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
24080 Aug 22 2007 "C:\Program Files\QuickTime\QTTASK.0XE"
28176 Oct 3 2007 "C:\Program Files\QuickTime\bak\QTTASK.0XE"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
212992 Dec 19 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
188 Aug 22 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Nov 13 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 May 15 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 May 15 2002 "C:\hp\drivers\video\845\hkcmd.exe"
90112 Aug 8 2001 "C:\hp\drivers\video\i810\HKCMD.exe"
114688 May 15 2002 "C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\hkcmd.exe"
155648 May 15 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 May 15 2002 "C:\hp\drivers\video\845\igfxtray.exe"
143360 Aug 8 2001 "C:\hp\drivers\video\i810\IGFXTRAY.exe"
155648 May 15 2002 "C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\igfxtray.exe"
81920 Jun 14 2002 "C:\hp\drivers\keyboard\PS2.exe"
81920 Jun 14 2002 "C:\WINDOWS\system32\bak\ps2.exe"
53248 Aug 18 2003 "C:\Program Files\Fellowes\MediaFACE 4.0\bak\SetHook.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
3775 Nov 26 2006 "C:\Program Files\Real\RealPlayer\channels.xml"
60 Dec 11 2007 "C:\Program Files\Real\RealPlayer\bak\channels.xml"
26112 Oct 10 2002 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
155648 May 9 2002 "C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
106549 Jul 16 2002 "C:\Program Files\DLA\install\tfswctrl.exe"
106549 Jul 16 2002 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
86016 Jun 8 2002 "C:\Program Files\WildTangent\DDC\ActiveMenu\bak\DDCActiveMenu.exe"
122880 Jun 8 2002 "C:\Program Files\WildTangent\DDC\DDCManager\bak\DDCMan.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe"

end of report

Response Number 13

Name: jabuck
Date: January 18, 2008 at 03:50:17 Pacific

Reply:

Option 2
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option:
Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Copy/paste the following list of bolded files to be restored:

"C:\hp\KBD\bak\KBD.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
"C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
"C:\Program Files\QuickTime\QTTASK.0XE"
"C:\Program Files\QuickTime\bak\QTTASK.0XE"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.exe"
"C:\WINDOWS\system\bak\hpsysdrv.DAT"
"C:\WINDOWS\system\bak\hpsysdrv.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\ps2.exe"
"C:\Program Files\Fellowes\MediaFACE 4.0\bak\SetHook.exe"
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
"C:\Program Files\QuickTime\bak\bak\qttask.exe"
"C:\Program Files\Real\RealPlayer\bak\channels.xml"
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
"C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
"C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
"C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
"C:\Program Files\WildTangent\DDC\ActiveMenu\bak\DDCActiveMenu.exe"
"C:\Program Files\WildTangent\DDC\DDCManager\bak\DDCMan.exe"
"C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Your java is out of date and can be exploited.
Download the latest version of java from this link Java
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.

Response Number 14

Name: chrisbrad25110
Date: January 18, 2008 at 17:12:57 Pacific

Reply:

new findawf log
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Fri 01/18/2008
The current time is: 19:05:44.46

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
0 File(s) 0 bytes
Directory of C:\HP\KBD\BAK
07/06/2001 10:56 PM 61,440 KBD.exe
1 File(s) 61,440 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes
Directory of C:\PROGRA~1\LINKSY~1\BAK
04/02/2006 08:07 PM 389,120 LinksysAgent.exe
1 File(s) 389,120 bytes
Directory of C:\PROGRA~1\MESSEN~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\MICROS~3\BAK
07/12/2005 02:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
10/03/2007 11:27 AM 28,176 QTTASK.0XE
10/25/2006 06:58 PM 282,624 qttask.exe
2 File(s) 310,800 bytes
Directory of C:\WINDOWS\SMINST\BAK
12/19/2001 12:39 AM 212,992 RECGUARD.exe
1 File(s) 212,992 bytes
Directory of C:\WINDOWS\SYSTEM\BAK
11/13/2007 10:12 PM 182 hpsysdrv.DAT
05/07/1998 05:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
05/15/2002 04:20 AM 114,688 hkcmd.exe
05/15/2002 04:29 AM 155,648 igfxtray.exe
06/14/2002 05:39 PM 81,920 ps2.exe
3 File(s) 352,256 bytes
Directory of C:\PROGRA~1\FELLOWES\MEDIAF~1.0\BAK
08/18/2003 05:46 PM 53,248 SetHook.exe
1 File(s) 53,248 bytes
Directory of C:\PROGRA~1\HEWLET~1\HPSHAR~1\BAK
04/17/2002 06:42 PM 69,632 hpgs2wnd.exe
1 File(s) 69,632 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK
10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\REAL\REALPL~1\BAK
12/11/2007 12:02 PM 60 channels.xml
10/10/2002 05:02 PM 26,112 RealPlay.exe
2 File(s) 26,172 bytes
Directory of C:\PROGRA~1\VERITA~1\UPDATE~1\BAK
05/09/2002 09:01 AM 155,648 sgtray.exe
1 File(s) 155,648 bytes
Directory of C:\WINDOWS\SYSTEM32\DLA\BAK
07/16/2002 09:03 AM 106,549 tfswctrl.exe
1 File(s) 106,549 bytes
Directory of C:\PROGRA~1\HEWLET~1\DIGITA~1\UNLOAD\BAK
06/18/2002 12:11 AM 69,632 hpqcmon.exe
1 File(s) 69,632 bytes
Directory of C:\PROGRA~1\WILDTA~1\DDC\ACTIVE~1\BAK
06/08/2002 02:20 AM 86,016 DDCActiveMenu.exe
1 File(s) 86,016 bytes
Directory of C:\PROGRA~1\WILDTA~1\DDC\DDCMAN~1\BAK
06/08/2002 02:18 AM 122,880 DDCMan.exe
1 File(s) 122,880 bytes
Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK
08/04/2004 01:56 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
61440 Jul 6 2001 "C:\hp\KBD\KBD.exe"
61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 10 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
389632 Apr 2 2006 "C:\Program Files\Linksys EasyLink Advisor\LinksysAdvisor.exe"
389120 Apr 2 2006 "C:\Program Files\Linksys EasyLink Advisor\bak\LinksysAgent.exe"
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe"
28176 Oct 3 2007 "C:\Program Files\QuickTime\QTTASK.0XE"
28176 Oct 3 2007 "C:\Program Files\QuickTime\bak\QTTASK.0XE"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
212992 Dec 19 2001 "C:\WINDOWS\SMINST\RECGUARD.exe"
212992 Dec 19 2001 "C:\WINDOWS\SMINST\bak\RECGUARD.exe"
182 Nov 13 2007 "C:\WINDOWS\system\hpsysdrv.DAT"
182 Nov 13 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
114688 May 15 2002 "C:\WINDOWS\system32\hkcmd.exe"
114688 May 15 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 May 15 2002 "C:\hp\drivers\video\845\hkcmd.exe"
90112 Aug 8 2001 "C:\hp\drivers\video\i810\HKCMD.exe"
114688 May 15 2002 "C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\hkcmd.exe"
155648 May 15 2002 "C:\WINDOWS\system32\igfxtray.exe"
155648 May 15 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 May 15 2002 "C:\hp\drivers\video\845\igfxtray.exe"
143360 Aug 8 2001 "C:\hp\drivers\video\i810\IGFXTRAY.exe"
155648 May 15 2002 "C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\igfxtray.exe"
81920 Jun 14 2002 "C:\WINDOWS\system32\ps2.exe"
81920 Jun 14 2002 "C:\hp\drivers\keyboard\PS2.exe"
81920 Jun 14 2002 "C:\WINDOWS\system32\bak\ps2.exe"
53248 Aug 18 2003 "C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe"
53248 Aug 18 2003 "C:\Program Files\Fellowes\MediaFACE 4.0\bak\SetHook.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"
69632 Apr 17 2002 "C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak\hpgs2wnd.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
60 Dec 11 2007 "C:\Program Files\Real\RealPlayer\channels.xml"
60 Dec 11 2007 "C:\Program Files\Real\RealPlayer\bak\channels.xml"
26112 Oct 10 2002 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
26112 Oct 10 2002 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
155648 May 9 2002 "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe"
155648 May 9 2002 "C:\Program Files\VERITAS Software\Update Manager\bak\sgtray.exe"
106549 Jul 16 2002 "C:\Program Files\DLA\install\tfswctrl.exe"
106549 Jul 16 2002 "C:\WINDOWS\system32\dla\tfswctrl.exe"
106549 Jul 16 2002 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe"
69632 Jun 18 2002 "C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak\hpqcmon.exe"
86016 Jun 8 2002 "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe"
86016 Jun 8 2002 "C:\Program Files\WildTangent\DDC\ActiveMenu\bak\DDCActiveMenu.exe"
122880 Jun 8 2002 "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe"
122880 Jun 8 2002 "C:\Program Files\WildTangent\DDC\DDCManager\bak\DDCMan.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig.exe"
158208 Aug 4 2004 "C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak\MSConfig.exe"

end of report

Response Number 15

Name: jabuck
Date: January 18, 2008 at 19:35:36 Pacific

Reply:

Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Copy /paste the following list of bolded folders to be removed:
C:\hp\KBD\bak
C:\Program Files\iTunes\bak
C:\Program Files\Linksys EasyLink Advisor\bak
C:\Program Files\Microsoft AntiSpyware\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system\bak
C:\WINDOWS\system32\bak
C:\Program Files\Fellowes\MediaFACE 4.0\bak
C:\Program Files\Hewlett-Packard\HP Share-to-Web\bak
C:\Program Files\QuickTime\bak\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\VERITAS Software\Update Manager\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\bak
C:\Program Files\WildTangent\DDC\ActiveMenu\bak
C:\Program Files\WildTangent\DDC\DDCManager\bak
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste everything between the X's making "regedit4" the very top line.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Post a new Hijack This log and a new Combofix log please.

Response Number 16

Name: chrisbrad25110
Date: January 19, 2008 at 14:05:49 Pacific

Reply:

i lost the findawf log...
hijackthis log...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:01:15 AM, on 1/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\bak\bak\qttask.exe
C:\HP\KBD\KBD.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://home.peoplepc.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fsc...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcapl...
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11993 bytes
combofix log...
ComboFix 08-01-09.2 - Owner 2008-01-19 11:04:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT -6:00]Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-12-19 to 2008-01-19 )))))))))))))))))))))))))))))))
.
2008-01-18 19:44 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-18 19:42 . 2008-01-18 19:44 <DIR> d-------- C:\Program Files\Java
2008-01-18 19:42 . 2008-01-18 19:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-18 19:05 . 2002-05-15 04:29 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-18 19:05 . 2002-05-15 04:20 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-18 19:05 . 2002-06-14 17:39 81,920 --a------ C:\WINDOWS\system32\ps2.exe
2008-01-18 19:05 . 1998-05-07 17:04 52,736 --a------ C:\WINDOWS\system\hpsysdrv.exe
2008-01-13 14:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-07 19:36 . 2008-01-07 19:36 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-27 18:22 . 2007-10-10 17:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-27 18:22 . 2007-06-30 21:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-27 18:22 . 2007-06-30 21:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-27 18:22 . 2007-10-10 17:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-27 18:22 . 2007-10-10 17:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-27 18:22 . 2007-10-10 17:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-27 18:22 . 2007-10-10 17:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-27 18:22 . 2007-10-10 04:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-27 18:21 . 2007-10-10 17:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-27 17:47 . 2007-08-13 18:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2007-12-25 22:50 . 2006-08-21 03:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-12-25 22:50 . 2006-08-21 03:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-12-25 22:50 . 2006-08-21 06:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-12-25 20:39 . 2007-07-09 07:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-25 19:39 . 2007-11-01 05:42 57,824 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-12-25 19:39 . 2007-11-01 05:42 36,768 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-12-25 17:33 . 2007-12-27 18:25 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-12-25 10:46 . 2007-12-25 11:06 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\U3
2007-12-24 13:41 . 2007-12-24 13:41 15 --a------ C:\WINDOWS\E60C-BD06-2E6B-03FB.dat
2007-12-20 21:07 . 2007-12-25 14:55 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 18:18 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-19 16:30 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-01-19 16:30 --------- d-----w C:\Program Files\Linksys EasyLink Advisor
2008-01-19 16:30 --------- d-----w C:\Program Files\iTunes
2008-01-19 01:05 --------- d-----w C:\Program Files\QuickTime
2008-01-07 01:19 82,380 ----a-w C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-12-26 01:42 --------- d-----w C:\Program Files\Charter High-Speed Security Suite
2007-12-26 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\F-Secure
2007-12-26 01:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\fssg
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
.
((((((((((((((((((((((((((((( snapshot@2008-01-13_15.56.38.60 )))))))))))))))))))))))))))))))))))))))))
.

Response Number 17

Name: jabuck
Date: January 19, 2008 at 15:14:58 Pacific

Reply:

Looks like part of the combofix log did not post.
Please go to Virus Total and upload the following file for analysis:
C:\WINDOWS\E60C-BD06-2E6B-03FB.dat

Post the results in your reply.
Navigate to and delete this folder:
Program Files\Quicktime
Post a new Combofix log.

Response Number 18

Name: chrisbrad25110
Date: January 19, 2008 at 16:10:33 Pacific

Reply:

File E60C-BD06-2E6B-03FB.dat received on 01.20.2008 01:07:19 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.
You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:

Antivirus Version Last Update Result
AhnLab-V3 2008.1.19.10 2008.01.18 -
AntiVir 7.6.0.48 2008.01.18 -
Authentium 4.93.8 2008.01.19 -
Avast 4.7.1098.0 2008.01.19 -
AVG 7.5.0.516 2008.01.19 -
BitDefender 7.2 2008.01.20 -
CAT-QuickHeal 9.00 2008.01.19 -
ClamAV 0.91.2 2008.01.19 -
DrWeb 4.44.0.09170 2008.01.19 -
eSafe 7.0.15.0 2008.01.16 -
eTrust-Vet 31.3.5470 2008.01.18 -
Ewido 4.0 2008.01.19 -
FileAdvisor 1 2008.01.20 -
Fortinet 3.14.0.0 2008.01.19 -
F-Prot 4.4.2.54 2008.01.19 -
F-Secure 6.70.13260.0 2008.01.19 -
Ikarus T3.1.1.20 2008.01.19 -
Kaspersky 7.0.0.125 2008.01.20 -
McAfee 5211 2008.01.18 -
Microsoft 1.3109 2008.01.20 -
NOD32v2 2807 2008.01.19 -
Norman 5.80.02 2008.01.18 -
Panda 9.0.0.4 2008.01.19 -
Prevx1 V2 2008.01.20 -
Rising 20.27.50.00 2008.01.19 -
Sophos 4.24.0 2008.01.19 -
Sunbelt 2.2.907.0 2008.01.17 -
Symantec 10 2008.01.19 -
TheHacker 6.2.9.191 2008.01.19 -
VBA32 3.12.2.5 2008.01.19 -
VirusBuster 4.3.26:9 2008.01.19 -
Webwasher-Gateway 6.6.2 2008.01.18 -
Additional information
File size: 15 bytes
MD5: 40fe24ef278f6d990180de77b08d21b0
SHA1: f780e33d0cccde09d442839c8a9072cdc69aa8a8
PEiD: -

working on combofix next

Response Number 19

Name: chrisbrad25110
Date: January 19, 2008 at 16:44:35 Pacific

Reply:

I am unable to completely delete the quicktime folder - get message that access is denied, but files specified don't appear to be in use per task mgr

Response Number 20

Name: chrisbrad25110
Date: January 19, 2008 at 17:14:36 Pacific

Reply:

i get message that combofix has expired and when i try to download again it can't find it from link above

Response Number 21

Name: jabuck
Date: January 19, 2008 at 17:24:34 Pacific

Reply:

Run hijack This, close all windows and browsers except Hijack This, place a check to the left of the following items and press "fix checked":
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
Exit Hijack This.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Program Files\QuickTime\bak\bak\qttask.exe

Folder::
C:\Program Files\QuickTime\bak\bak
C:\Program Files\QuickTime\bak
C:\Program Files\QuickTime

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Hijack This log please.
How is the computer operating?

Response Number 22

Name: jabuck
Date: January 19, 2008 at 18:49:26 Pacific

Reply:

Maybe it will be fixed soon.

Response Number 23

Name: jabuck
Date: January 19, 2008 at 19:06:46 Pacific

Reply:

Delete the combofix version you have.
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Response Number 24

Name: chrisbrad25110
Date: February 2, 2008 at 15:31:46 Pacific

Reply:

hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:52, on 2008-01-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HP\KBD\KBD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.exe
C:\Program Files\Charter High-Speed Security Suite\FSPC\fspc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://register.hp.com/servlet/WebR...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\nzsearch\nzsearchenh.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: AutoPlay.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Program Files\IMVU\IMVUClient.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Charter High-Speed Security Suite.lnk = C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\Program\fspex.exe
O4 - Global Startup: CompuServe 7.0 Tray Icon.lnk = C:\Program Files\CompuServe 7.0\cstray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: officejet 6100.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Charter High-Speed Security Suite\FSPC\fspcmsie.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - https://install.charter.com/diskless/bin/ssctlsma.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://home.peoplepc.com/diskless/bin/tgctlcm.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fsc...
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/res...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microso...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcapl...
O23 - Service: Charter High-Speed Security Suite (BackWeb Plug-in - 3528733) - BackWeb Technologies Inc. - C:\PROGRA~1\CHARTE~1\backweb\3528733\Program\SERVIC~1.exe
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: FSBWSYS - F-Secure Corp. - C:\Program Files\Charter High-Speed Security Suite\backweb\3528733\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12365 bytes
still having problems with computer

Sponsored Link

Ads by Google

Anti-Virus software that ...

Blocking ports with a rou...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Zonebac.gen1 infection

Another zonebac.gen!B infection

Summary

www.computing.net/answers/security/another-zonebacgenb-infection/21885.html

Backdoor:Zonebac.gen!B infection

Summary

www.computing.net/answers/security/backdoorzonebacgenb-infection/21856.html

zonebac.gen!B infection

Summary

www.computing.net/answers/security/zonebacgenb-infection-/21879.html

From the Geek Dictionary
raging - To be highly aggressive towards people because you can't control your anger...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 6 Days.
Discuss in The Lounge
Poll History

Recent Posts
unable to open jpg files which are recovered

PSPad don't open last document

help please

SM Bus Controller

Cannot Open Pagemaker Files

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE