PDA

View Full Version : pc infected with Drivecleaner, vundo



TonyL
2007-08-16, 17:09
Found drivecleaner and vundo in this pc, so I used spybot s&d, ad-aware, vundofix, and combofix. I just need help to check the scan log to see if there are any more malwares left in the pc. Thanks

Combofix log:

ComboFix 07-08-04.3 - "Princess GIANA" 2007-08-16 9:38:27.4 [GMT -4:00] - NTFS [SAFE MODE]
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.True


((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))


2007-08-16 09:02 <DIR> d-------- C:\VundoFix Backups
2007-08-16 07:29 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2007-08-16 07:29 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2007-08-16 07:29 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2007-08-16 07:16 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-08-16 06:44 22,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\COH_Mon.sys
2007-08-15 16:47 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-08-15 16:45 48,776 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2007-08-15 16:45 115,000 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2007-08-15 16:43 <DIR> d-------- C:\Program Files\Symantec
2007-08-15 16:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-15 16:38 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-15 12:48 <DIR> d-------- C:\DOCUME~1\PRINCE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 12:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-15 11:44 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-15 10:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-12 11:19 <DIR> d-------- C:\Netgear
2007-08-09 21:30 <DIR> d--hs---- C:\found.000


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-15 20:03 --------- d-------- C:\Program Files\America Online 9.0a
2007-08-15 19:13 --------- d-------- C:\Program Files\McAfee.com
2007-08-15 18:56 69440 --a------ C:\ysb1.exe
2007-08-15 16:51 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-08-15 16:51 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-08-15 11:36 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-15 08:59 --------- d-------- C:\Program Files\PerfectCleaner
2007-07-25 23:40 --------- d-------- C:\Program Files\America Online 9.0c
2007-07-23 22:32 18432 --a------ C:\WINDOWS\sysrlb32.exe
2007-06-26 11:13 851968 --------- C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 10:09 658944 --------- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 02:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 02:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 09:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 09:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 14:09 96256 --------- C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 14:09 615424 --------- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 14:09 55808 --------- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 14:09 532480 --------- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 14:09 474112 --------- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 14:09 449024 --------- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 14:09 39424 --------- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 14:09 357888 --------- C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 14:09 3058688 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 14:09 251392 --------- C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 14:09 205312 --------- C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 14:09 16384 --------- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 14:09 151040 --------- C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 14:09 1494528 --------- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 14:09 146432 --------- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 14:09 1054208 --------- C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 14:09 1023488 --------- C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 10:07 18432 --------- C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 06:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 06:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2007-05-17 16:22 23808 --a------ C:\WINDOWS\vxddsk.exe
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2007-05-17 07:28 549376 --------- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-16 11:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 11:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\inetcomm.dll
2007-05-16 11:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 11:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 11:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2005-05-24 22:55:22 848 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" []
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 01:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 03:11]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]

C:\Documents and Settings\Princess GIANA\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [2004-08-10 15:04:12]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2004-08-11 05:22:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk.disabled]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk.disabled
backup=C:\WINDOWS\pss\Kodak software updater.lnk.disabledCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Princess GIANA^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\Princess GIANA\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
C:\WINDOWS\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DwlClient]
C:\Program Files\Common Files\Dell\EUSW\Support.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1128732394\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Program Files\HP\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpenGL Drivers]
C:\WINDOWS\system32\0penGLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Optimum Online]
C:\Program Files\Optimum Online\Netsurf.exe -tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Dell\Media Experience\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
"C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
F:\SystemScan\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewpointPhotosDeviceConnect]
C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.7.0\FotomatDeviceConnect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background
"SysRestore"="C:\DOCUME~1\PRINCE~1\LOCALS~1\Temp\tmp3E.tmp.exe"
"Weather"=C:\Program Files\AWS\WeatherBug\Weather.exe 1
"OpenGL Drivers"=C:\WINDOWS\system32\0penGLD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
"OpenGL Drivers"=C:\WINDOWS\system32\0penGLD.exe

R1 DcCam;Kodak Camera Proxy;C:\WINDOWS\system32\DRIVERS\DcCam.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
S1 Exportit;Exportit;C:\WINDOWS\system32\DRIVERS\exportit.sys
S1 SASDIFSV;SASDIFSV;\??\F:\SystemScan\SUPERAntiSpyware\SASDIFSV.SYS
S1 SASKUTIL;SASKUTIL;\??\F:\SystemScan\SUPERAntiSpyware\SASKUTIL.sys
S1 SRTSP;SRTSP;C:\WINDOWS\system32\Drivers\SRTSP.SYS
S1 SRTSPX;SRTSPX;C:\WINDOWS\system32\Drivers\SRTSPX.SYS
S2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
S2 CSS DVP;CSS DVP;C:\WINDOWS\system32\DRIVERS\css-dvp.sys
S2 DCFS2K;Kodak DCFS2K Driver;C:\WINDOWS\system32\drivers\dcfs2k.sys
S2 lsass;Local Security Authority Subsystem Service;"C:\WINDOWS\lsass.exe"
S2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
S3 DcFpoint;DcFpoint;C:\WINDOWS\system32\DRIVERS\DcFpoint.sys
S3 DcLps;Legacy Polling Service;C:\WINDOWS\system32\DRIVERS\DcLps.sys
S3 DcPTP;dcptp;C:\WINDOWS\system32\DRIVERS\DcPTP.sys
S3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys
S3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
S3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
S3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
S3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
S3 MREMPR5;MREMPR5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
S3 MRENDIS5;MRENDIS5 NDIS Protocol Driver;\??\C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver;\??\D:\ppp\PCAMPR5.SYS
S3 SASENUM;SASENUM;\??\F:\SystemScan\SUPERAntiSpyware\SASENUM.SYS
S3 senfilt;senfilt;C:\WINDOWS\system32\drivers\senfilt.sys
S3 SRTSPL;SRTSPL;C:\WINDOWS\system32\Drivers\SRTSPL.SYS
S3 USBCM;Scientific Atlanta USB Cable Modem Driver;C:\WINDOWS\system32\DRIVERS\Sacm2K.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 DirectX Drivers;DirectX Drivers;"C:\WINDOWS\D1rectX.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{893fbec6-4b33-11dc-87be-00038a000015}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - COMHOST
*Newly Created Service* - DCFS2K

Contents of the 'Scheduled Tasks' folder
2007-08-05 11:28:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-16 13:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (DF6G7761-Owner).job - c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:31:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-Alyssa).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:29:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-Guest).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:31:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-Johnny).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:33:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-Mommy).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:32:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-Princess GIANA).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-16 13:29:00 C:\WINDOWS\Tasks\McAfee.com Update Check (GIANA-rocky8528).job - C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
2007-08-15 21:10:14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Princess GIANA.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 09:48:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-08-16 9:50:42
C:\ComboFix-quarantined-files.txt ... 2007-08-15 12:38
C:\ComboFix2.txt ... 2007-08-15 12:38

--- E O F ---

TonyL
2007-08-16, 17:11
HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:18 AM, on 8/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Princess GIANA\Desktop\HJTv2.02\HJT.exe
C:\WINDOWS\system32\verclsid.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.7.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O20 - AppInit_DLLs:
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - http://myspace-329.vo.llnwd.net/00931/92/35/931475329_l.jpg
O24 - Desktop Component 1: (no name) - http://images.google.com/images?q=tbn:2szRELqvZnMJ:www.its.caltech.edu/~ph76a/japantour/part2/snow.jpg
O24 - Desktop Component 10: (no name) - http://myspace-560.vo.llnwd.net/00931/06/52/931472560_l.jpg
O24 - Desktop Component 2: (no name) - http://aolsvc.mary-kateandashleyworld.kol.aol.com/fun_and_games/images/challenge_600x800_wallpapers.jpg
O24 - Desktop Component 3: (no name) - http://cdn.kol.aol.com/ps_oops_ryanc_0105.jpg
O24 - Desktop Component 4: (no name) - http://ww2.thedollpalace.com/Dolls_library/BR/6.gif
O24 - Desktop Component 5: (no name) - http://ww2.thedollpalace.com/icons/upload/tmpImages/1499.gif
O24 - Desktop Component 6: (no name) - http://ak.scr.imgfarm.com/anim/md/SMCL01.jpg
O24 - Desktop Component 7: (no name) - http://ww2.thedollpalace.com/icons/upload/tmpImages/2697.jpg
O24 - Desktop Component 8: (no name) - http://www.iconator.com/ikons/184/ICONATOR_a49b42e5e7a6d0f66f48133304fdb7ed.gif
O24 - Desktop Component 9: (no name) - http://images.google.com/images?q=tbn:UvbRHzN3sqwJ:www.oldhippy.org/original.jpg

--
End of file - 8858 bytes

I think the pc is pretty clean, just not sure on O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing) I tried to fix it with HJT, but it still showed up on in the scan. I also renamed the HJT folder and exe to HJT.exe.

Mr_JAk3
2007-08-16, 21:17
Hello :)

I must warn that one or more of the identified infections is a backdoor trojan :sick:

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? (http://www.dslreports.com/faq/10451)
When Should I Format, How Should I Reinstall (http://www.dslreports.com/faq/10063)

I can help you in the cleaning if you don't want to reformat but there is a possibility that we can't get you 100% clean.

Please let us know what you have decided to do in your next post:bigthumb:

TonyL
2007-08-18, 01:32
Please guide me on how to clean the pc. I don't want to format the pc as its not my pc. And can you please tell me where is this backdoor trojan? Thanks

Mr_JAk3
2007-08-18, 15:28
I'll be happy to help you :)

The backdoor is on your computer, we'll nail it.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.zip) and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


Also

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. Press Any key. Then select the option 1 by pressing 1 and then enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

TonyL
2007-08-19, 16:00
Here are the reports:


SDFix: Version 1.99

Run by Princess GIANA on Sat 08/18/2007 at 04:29 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Name:
lsass

ImagePath:
"C:\WINDOWS\lsass.exe"

lsass - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\Program Files\America Online 9.0a\AOLphx.exe
C:\Program Files\America Online 9.0a\rbm.exe
C:\Program Files\America Online 9.0b\AOLphx.exe
C:\Program Files\America Online 9.0b\rbm.exe
C:\Program Files\America Online 9.0c\aolphx.exe
C:\Program Files\America Online 9.0c\aoltray.exe
C:\Program Files\America Online 9.0c\RBM.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT26.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT27.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT28.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT29.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3171.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3174.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3183.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3188.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3199.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT345B.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT345C.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT3460.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT347C.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT348E.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT4D08.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT4D13.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT4D25.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT4D45.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT73B1.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT73ED.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT73FB.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT7683.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT76D0.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT76DA.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT79A8.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT7C4D.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT7C95.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT8239.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT8503.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT85A1.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT8876.tmp
C:\Documents and Settings\Alyssa\Local Settings\Temp\BIT8B43.tmp
C:\WINDOWS\SoftwareDistribution\Download\a9c45075ef03a3247dcd9192c22b10ba\BIT6B.tmp
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG

Finished


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sun 08/19/2007
The current time is: 7:29:46.76


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/01/2006 04:35 PM 67,112 aim.exe
1 File(s) 67,112 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 11:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\AMERIC~1.0A\BAK

07/12/2005 09:17 AM 50,776 AOL.EXE
1 File(s) 50,776 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 10:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 07:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\AWS\WEATHE~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 10:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

08/22/2004 05:31 PM 1,327,104 MpfTray.exe
1 File(s) 1,327,104 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 08:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\COMMON~1\DELL\EUSW\BAK

10/14/2005 01:26 AM 69,632 Support.exe
1 File(s) 69,632 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

02/25/2007 09:33 PM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.0\APPS\BAK

06/07/2005 12:46 AM 57,344 apdproxy.exe
1 File(s) 57,344 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\112873~1\EE\BAK

09/25/2006 08:52 PM 50,736 AOLSoftware.exe
1 File(s) 50,736 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

4466776 Oct 29 2005 "C:\AOL Instant Messenger\AIM.exe"
67112 Aug 1 2006 "C:\Program Files\AIM\bak\aim.exe"
50736 Mar 23 2007 "C:\Program Files\AIM6\aim6.exe"
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
38000 Sep 1 2004 "C:\Program Files\America Online 9.0\aol.exe"
50776 Jul 12 2005 "C:\Program Files\America Online 9.0b\aol.exe"
45139 Aug 18 2003 "C:\Program Files\America Online 9.0c\aol.exe"
50776 Jul 12 2005 "C:\Program Files\America Online 9.0a\bak\AOL.EXE"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Jan 31 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
1327104 Aug 22 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
77824 May 27 2004 "C:\Program Files\Dell\Support\bin\Support.exe"
69632 Oct 14 2005 "C:\Program Files\Common Files\Dell\EUSW\bak\Support.exe"
32899 Apr 11 2004 "C:\Program Files\Dell\Media Experience\Extension\WTGames\support.exe"
69632 Oct 14 2005 "C:\Documents and Settings\All Users\Application Data\Dell\Alert\588\Support.exe"
52272 Apr 26 2007 "C:\Program Files\Google\googletoolbar1user.exe"
138168 Feb 25 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Feb 25 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
811560 Feb 25 2007 "C:\Documents and Settings\rocky8528\Local Settings\Temporary Internet Files\Content.IE5\7JY5TPLA\GoogleToolbarInstaller_ADBx_en_401019_signed.exe"
57344 Jun 7 2005 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\bak\apdproxy.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1128732394\EE\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1128732394\EE\bak\AOLSoftware.exe"


end of report

I did the SDFix scan in safe mode and Find awf in normal mode. There are also multi-users accounts on it. Should I do the scan in each account or one is good enough?

Mr_JAk3
2007-08-19, 20:49
Hi :)

No need to run in all accounts, the administrator account is enough...

Ok we'll continue...

Restart to the safe mode again.

Run FindAWF.exe again. Then select the option 2 by pressing 2 and then enter. When it is done there will be a file called files.txt on your desktop. Please post the contents of that file as a reply to this topic.

TonyL
2007-08-20, 00:27
Okay, first of all, I want to thank you for taking your time to help me on this subject. After I talked to the owner of the pc, he decided to go ahead and reformat the pc. So I guess thats the end of the problem. :p:

But I would like to learn more about how to fix this problem for myself. Could you please tell me what should I look for in the log and if I understand it correctly, the next step would be restart again and go to option 3 of the program? Where can I find more info on these programs(SDFix, FindAWF)?

Once again, thanks for your time.

Mr_JAk3
2007-08-21, 21:58
Hi again :)

Ok I'll respect the decision to do a clean install.

These removal things are different on different computers and usually the logs determine the way we continue. If you're interested in malware removal and helping people - The Malware Removal University (http://forum.malwareremoval.com/viewtopic.php?t=233&sid=c3b61db8fdc3ec71f36a79d1d66b34f6) is open :bigthumb: