View Full Version : Unknown (but probable?) malware
toastyme
2007-09-09, 10:42
Hi, this is my first (and hopefully one of my last :laugh:) posts here. I've been suspecting that I have something (malware, virus, spyware) on my computer for a few months. There's really been no sizeable trace of anything detected on my computer by antivirus/spyware programs, so I was hoping someone could take a look at my HJT and Kaspersky logs and advise me. Thank you for any and all information!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:25:13 AM, on 9/9/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
C:\PROGRA~1\OUTLOO~1\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://right-to-pop.livejournal.com/profile?mode=full
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usadatanet.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136430826218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129958443781
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8755C03C-5753-49A4-8D6B-C879FCCBD372}: NameServer = 69.67.254.2 69.67.254.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7EEA7F4-C0B7-4DC4-B12F-F7234136DEFC}: NameServer = 24.92.32.22,24.92.33.23
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: WRATWMMUPGG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\MARIAE~1\LOCALS~1\Temp\WRATWMMUPGG.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 9205 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, September 09, 2007 3:23:31 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 9/09/2007
Kaspersky Anti-Virus database records: 410468
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 57549
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:18:17
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\cert8.db Object is locked skipped
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\history.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\key3.db Object is locked skipped
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\parent.lock Object is locked skipped
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Maria Esposito\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Maria Esposito\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Identities\{8426FFB6-73AB-411D-B6E5-D517604AAD71}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Identities\{8426FFB6-73AB-411D-B6E5-D517604AAD71}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Identities\{8426FFB6-73AB-411D-B6E5-D517604AAD71}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Identities\{8426FFB6-73AB-411D-B6E5-D517604AAD71}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Identities\{8426FFB6-73AB-411D-B6E5-D517604AAD71}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Application Data\Mozilla\Firefox\Profiles\lmzr2gub.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\History\History.IE5\MSHist012007090820070909\index.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\History\History.IE5\MSHist012007090920070910\index.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Maria Esposito\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Maria Esposito\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20061008-190547-871.dll Infected: not-a-virus:AdWare.Win32.Coupons.h skipped
C:\Program Files\McAfee.com\Agent\Data\Logs\TaskScheduler\McTskshd002.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\TridiaVNC\win32\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\Program Files\TridiaVNC\win32\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1540 skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\ipsecpa.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\ModemLog_U.S. Robotics 56K Faxmodem USB.txt Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
D:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
E:\gobackio.bin Object is locked skipped
E:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
Scan process completed.
Hello and welcome to the Forums :)
There is something we'll check
Please download the following program and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Once downloaded, double-click on the file to run it. Press Any key. Then select the option 1 by pressing 1 and then enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.
toastyme
2007-09-10, 05:55
Hi, thank you for responding! Let me know if there's anything else I should post! Here is the AWF log:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Sun 09/09/2007
The current time is: 22:53:47.70
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/04/2004 12:18p 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/11/2006 12:20a 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
02/10/2006 05:27p 1,420,560 MSASCui.exe
1 File(s) 1,420,560 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 01:20p 59,040 ccApp.exe
09/29/2002 09:46p 86,096 SymTray.exe
2 File(s) 145,136 bytes
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
07/16/2002 11:55a 32,768 deskup.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
03/24/2004 03:56p 1,380,352 MpfTray.exe
1 File(s) 1,380,352 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
04/19/2004 12:06p 102,400 ViewMgr.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 05:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
98304 Sep 8 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 4 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
111840 Nov 28 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
50880 Aug 19 2002 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86096 Aug 29 2002 "C:\Program Files\Common Files\Symantec Shared\SymTray.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\bak\SymTray.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
end of report
Ok we'll continue :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Run FindAWF.exe again. This time select the option 2 by pressing 2 and then enter. When it is done there will be a file called files.txt on your desktop. Restart the computer normally. Please post the contents of that file as a reply to this topic.
toastyme
2007-09-11, 06:51
Okay, I followed your directions, but I'm not sure that it turned out right. I'm not sure what I did wrong!
I opened the program, pressed 2, and files.txt did open. It says:
Copy the list of files to be restored then click BELOW THE LINE
and paste the list by pressing Ctrl+V
IMPORTANT - Paths containing spaces must be wrapped in quotes!!
When done, close this file and click YES to save the changes.
_________________________________________________
Except, I didn't copy and paste anything there. I couldn't see a list of files anywhere. Finally, I saw nothing was happening with the open program, so I saved files.txt and closed it. When I closed the text file, the program window started 'searching for bak folders' and 'searching for duplicate files.' Awf.txt opened up again. I'll repost the contents of that here. I'm not sure that it's any different.
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 09/10/2007
The current time is: 23:35:54.85
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/04/2004 12:18p 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/11/2006 12:20a 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
02/10/2006 05:27p 1,420,560 MSASCui.exe
1 File(s) 1,420,560 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 01:20p 59,040 ccApp.exe
09/29/2002 09:46p 86,096 SymTray.exe
2 File(s) 145,136 bytes
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
07/16/2002 11:55a 32,768 deskup.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
03/24/2004 03:56p 1,380,352 MpfTray.exe
1 File(s) 1,380,352 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
04/19/2004 12:06p 102,400 ViewMgr.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 05:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
98304 Sep 8 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 4 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
111840 Nov 28 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
50880 Aug 19 2002 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86096 Aug 29 2002 "C:\Program Files\Common Files\Symantec Shared\SymTray.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\bak\SymTray.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
end of report
Okay, I must have done something wrong, right?
Hello :)
Yes something is not right now...let's try again..
In normal mode...
Run FindAWF.exe again. This time select the option 2 by pressing 2 and then enter. When it is done there will be a file called files.txt on your desktop. Restart the computer normally. Please post the contents of that file as a reply to this topic.
toastyme
2007-09-12, 06:13
:scratch: What could I be doing wrong?! Okay, I had the exact same result running FindAWF in normal mode. I double-click on the program, 'press any key', press 2 (to restore files from bak folders), and then enter. Files.txt doesn't just show up as a file on my desktop. It opens automatically. Should that be happening? Once again it said:
Copy the list of files to be restored then click BELOW THE LINE
and paste the list by pressing Ctrl+V
IMPORTANT - Paths containing spaces must be wrapped in quotes!!
When done, close this file and click YES to save the changes.
_________________________________________________
and once again, I didn't post anything. When I saved and closed it, FindAWF scanned for bak files as before, and I got another awf.txt:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Mon 09/10/2007
The current time is: 23:35:54.85
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/04/2004 12:18p 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/11/2006 12:20a 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
02/10/2006 05:27p 1,420,560 MSASCui.exe
1 File(s) 1,420,560 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 01:20p 59,040 ccApp.exe
09/29/2002 09:46p 86,096 SymTray.exe
2 File(s) 145,136 bytes
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
07/16/2002 11:55a 32,768 deskup.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
03/24/2004 03:56p 1,380,352 MpfTray.exe
1 File(s) 1,380,352 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
04/19/2004 12:06p 102,400 ViewMgr.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 05:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
98304 Sep 8 2007 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 4 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
111840 Nov 28 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
50880 Aug 19 2002 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86096 Aug 29 2002 "C:\Program Files\Common Files\Symantec Shared\SymTray.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\bak\SymTray.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
end of report
When I restarted my computer, there was no difference in files.txt, so I'll just post it again. Hmm, I'm going to try it again, and, if there's any difference, I'll repost the results. Sorry about this trouble!
OK we'll do this manually then :) Don't worry
You should print these instructions or save these to a text file. Follow these instructions carefully.
Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Ok we'll do this manually then....
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file del.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on del.bat and let it run. A window will open and close.
if exist "C:\PROGRA~1\QUICKT~1\qttask.exe" del /q "C:\PROGRA~1\QUICKT~1\qttask.exe"
copy /y "C:\PROGRA~1\QUICKT~1\BAK\qttask.exe" "C:\PROGRA~1\QUICKT~1\qttask.exe"
if exist "C:\PROGRA~1\SYMNET~1\SNDMon.exe" del /q "C:\PROGRA~1\SYMNET~1\SNDMon.exe"
copy /y "C:\PROGRA~1\SYMNET~1\BAK\SNDMon.exe" "C:\PROGRA~1\SYMNET~1\SNDMon.exe"
if exist "C:\PROGRA~1\WIFD1F~1\MSASCui.exe" del /q "C:\PROGRA~1\WIFD1F~1\MSASCui.exe"
copy /y "C:\PROGRA~1\WIFD1F~1\BAK\MSASCui.exe" "C:\PROGRA~1\WIFD1F~1\MSASCui.exe"
if exist "C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe" del /q "C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe"
copy /y "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\ccApp.exe" "C:\PROGRA~1\COMMON~1\SYMANT~1\ccApp.exe"
if exist "C:\PROGRA~1\COMMON~1\SYMANT~1\SymTray.exe" del /q "C:\PROGRA~1\COMMON~1\SYMANT~1\SymTray.exe"
copy /y "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\SymTray.exe" "C:\PROGRA~1\COMMON~1\SYMANT~1\SymTray.exe"
if exist "C:\PROGRA~1\IOMEGA\AUTODISK\ADUserMon.exe" del /q "C:\PROGRA~1\IOMEGA\AUTODISK\ADUserMon.exe"
copy /y "C:\PROGRA~1\IOMEGA\AUTODISK\BAK\ADUserMon.exe" "C:\PROGRA~1\IOMEGA\AUTODISK\ADUserMon.exe"
if exist "C:\PROGRA~1\IOMEGA\DRIVEI~1\deskup.exe" del /q "C:\PROGRA~1\IOMEGA\DRIVEI~1\deskup.exe"
copy /y "C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK\deskup.exe" "C:\PROGRA~1\IOMEGA\DRIVEI~1\deskup.exe"
if exist "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe" del /q "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe"
copy /y "C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK\MpfTray.exe" "C:\PROGRA~1\MCAFEE.COM\PERSON~1\MpfTray.exe"
if exist "C:\PROGRA~1\VIEWPO~1\VIEWPO~2\ViewMgr.exe" del /q "C:\PROGRA~1\VIEWPO~1\VIEWPO~2\ViewMgr.exe"
copy /y "C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK\ViewMgr.exe" "C:\PROGRA~1\VIEWPO~1\VIEWPO~2\ViewMgr.exe"
if exist "C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\UsrPrmpt.exe" del /q "C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\UsrPrmpt.exe"
copy /y "C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK\UsrPrmpt.exe" "C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\UsrPrmpt.exe"
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log
Also run FindAWF.exe again with option 1 and post the log to here.
toastyme
2007-09-13, 12:17
Okay, I think this went well, or, at least, something happened this time! First, here's my DrWeb.csv:
Process.exe;C:\Documents and Settings\Maria Esposito\Desktop\probs\AWF;Tool.Prockill;Incurable.Moved.;
backup-20061008-190547-871.dll;C:\Program Files\HijackThis\backups;Adware.Coupons;Incurable.Moved.;
WinVNC.exe;C:\Program Files\TridiaVNC\win32;Program.RemoteAdmin;Incurable.Moved.;
Here is my updated HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:33 AM, on 9/13/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://right-to-pop.livejournal.com/profile?mode=full
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usadatanet.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136430826218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129958443781
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7EEA7F4-C0B7-4DC4-B12F-F7234136DEFC}: NameServer = 24.92.32.22,24.92.33.23
O20 - AppInit_DLLs:
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: WRATWMMUPGG - Unknown owner - C:\DOCUME~1\MARIAE~1\LOCALS~1\Temp\WRATWMMUPGG.exe (file missing)
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 9260 bytes
And, finally, my updated FindAWF log:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Thu 09/13/2007
The current time is: 5:01:19.48
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/04/2004 12:18p 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/11/2006 12:20a 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
02/10/2006 05:27p 1,420,560 MSASCui.exe
1 File(s) 1,420,560 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 01:20p 59,040 ccApp.exe
09/29/2002 09:46p 86,096 SymTray.exe
2 File(s) 145,136 bytes
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
07/16/2002 11:55a 32,768 deskup.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
03/24/2004 03:56p 1,380,352 MpfTray.exe
1 File(s) 1,380,352 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
04/19/2004 12:06p 102,400 ViewMgr.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 05:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
98304 Dec 4 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 4 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\SymTray.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\bak\SymTray.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
end of report
I hope to be back online later today, but I'm switching ISPs. There's going to be about a week between getting rid of this one and getting the other, and I don't have access to another computer. I'm not really sure if the current ISP will cut off service immediately, or if I'll have it until the other service starts. So, there's a possibility that I may not be online for a few days, but I haven't abandoned this thread! Just thought I should give you a heads up! Also, I just want to thank you for helping me! I really appreciate the guidance. Hopefully I will be back later, and I'll be ready to do whatever else needs to be done! Thank you again!
Ok looks much better now :)
You should print these instructions or save these to a text file. Follow these instructions carefully.
Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to WRATWMMUPGG
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; WRATWMMUPGG
Answer Yes
Close HIjackThis
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings on purpose.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - AppInit_DLLs:
Restart the pc.
Run FindAWF.exe again. Press Any key. Then select the option 3 by pressing 3 and then enter. A file named folders should open. Please post the contents of that file as a reply to this topic along with a one more Hijackthis log.
toastyme
2007-09-14, 11:00
Hi, I'm still here! :)
Okay, I followed your directions, restarted, but had a experience with FindAWF that was similar to the last couple times I used it. Pressed '3' and the 'folders' did appear, but it was just like those last few times:
Copy the list of folders to be removed then click BELOW THE LINE
and paste the list by pressing Ctrl+V
IMPORTANT - REMOVE ALL QUOTES !! No Filenames and no trailing slash!
When done, close this file and click YES to save the changes.
_________________________________________________
I assume I'm not supposed to put anything there? I noticed that when I run the program to files appear with the one that opens (in this case, folders.txt): locate.com and Process.exe. I'm assuming that's supposed to happen? After I closed folders.txt, FindAWF started 'searching for bak folders' again. After it scanned, this new awf.exe log came up:
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Fri 09/14/2007
The current time is: 3:45:07.45
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\QUICKT~1\BAK
12/04/2004 12:18p 98,304 qttask.exe
1 File(s) 98,304 bytes
Directory of C:\PROGRA~1\SYMNET~1\BAK
10/11/2006 12:20a 100,056 SNDMon.exe
1 File(s) 100,056 bytes
Directory of C:\PROGRA~1\WIFD1F~1\BAK
02/10/2006 05:27p 1,420,560 MSASCui.exe
1 File(s) 1,420,560 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
04/13/2006 01:20p 59,040 ccApp.exe
09/29/2002 09:46p 86,096 SymTray.exe
2 File(s) 145,136 bytes
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Directory of C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK
07/16/2002 11:55a 32,768 deskup.exe
1 File(s) 32,768 bytes
Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK
03/24/2004 03:56p 1,380,352 MpfTray.exe
1 File(s) 1,380,352 bytes
Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK
04/19/2004 12:06p 102,400 ViewMgr.exe
1 File(s) 102,400 bytes
Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK
11/02/2004 05:59p 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
98304 Dec 4 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 4 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Oct 11 2006 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
1420560 Feb 10 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
59040 Apr 13 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\SymTray.exe"
86096 Sep 29 2002 "C:\Program Files\Common Files\Symantec Shared\bak\SymTray.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\deskup.exe"
32768 Jul 16 2002 "C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe"
1380352 Mar 24 2004 "C:\Program Files\McAfee.com\Personal Firewall\bak\MpfTray.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe"
102400 Apr 19 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Nov 2 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
end of report
And, finally, the latest HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:47:16 AM, on 9/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINNT\system32\notepad.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://right-to-pop.livejournal.com/profile?mode=full
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usadatanet.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136430826218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129958443781
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7EEA7F4-C0B7-4DC4-B12F-F7234136DEFC}: NameServer = 24.92.32.22,24.92.33.23
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 9103 bytes
toastyme
2007-09-14, 11:03
Yikes, sorry for all the typos! :red: And, of course, I meant '..this new awf.txt log came up.'
Hi again :)
My bad, just noticed something...
Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as: Name the file del.bat Save as Type: All files Select the desktop icon on the left to save it on the desktop.
Double click on del.bat and let it run. A window will open and close.
attrib -r -h C:\PROGRA~1\QUICKT~1\BAK\*.*
del /a /f /q C:\PROGRA~1\QUICKT~1\BAK\*.*
RD /s /q "C:\PROGRA~1\QUICKT~1\BAK"
attrib -r -h C:\PROGRA~1\SYMNET~1\BAK\*.*
del /a /f /q C:\PROGRA~1\SYMNET~1\BAK\*.*
RD /s /q "C:\PROGRA~1\SYMNET~1\BAK"
attrib -r -h C:\PROGRA~1\WIFD1F~1\BAK\*.*
del /a /f /q C:\PROGRA~1\WIFD1F~1\BAK\*.*
RD /s /q "C:\PROGRA~1\WIFD1F~1\BAK"
attrib -r -h C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\*.*
del /a /f /q C:\PROGRA~1\COMMON~1\SYMANT~1\BAK\*.*
RD /s /q "C:\PROGRA~1\COMMON~1\SYMANT~1\BAK"
attrib -r -h C:\PROGRA~1\IOMEGA\AUTODISK\BAK\*.*
del /a /f /q C:\PROGRA~1\IOMEGA\AUTODISK\BAK\*.*
RD /s /q "C:\PROGRA~1\IOMEGA\AUTODISK\BAK"
attrib -r -h C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK\*.*
del /a /f /q C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK\*.*
RD /s /q "C:\PROGRA~1\IOMEGA\DRIVEI~1\BAK"
attrib -r -h C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK\*.*
del /a /f /q C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK\*.*
RD /s /q "C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK"
attrib -r -h C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK\*.*
del /a /f /q C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK \*.*
RD /s /q "C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK"
attrib -r -h C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK\*.*
del /a /f /q C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK\*.*
RD /s /q "C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK"
Now please run FindAWF again with option 1 and post the log to here along with a fresh HijackThis log
toastyme
2007-09-14, 22:34
Okay, done and.. done!
FindAWF:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Fri 09/14/2007
The current time is: 15:35:50.56
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\IOMEGA\AUTODISK\BAK
09/24/2002 05:39p 147,456 ADUserMon.exe
1 File(s) 147,456 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\ADUserMon.exe"
147456 Sep 24 2002 "C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
end of report
AND HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:36 PM, on 9/14/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
C:\WINNT\system32\EXSHOW95.EXE
C:\WINNT\system32\EXSHOW.EXE
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Roxio\GoBack\GBTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
C:\PROGRA~1\OUTLOO~1\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://right-to-pop.livejournal.com/profile?mode=full
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usadatanet.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe
O4 - HKLM\..\Run: [EXSHOW95.EXE] EXSHOW95.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe
O4 - Global Startup: Instant Update Reminder.lnk = C:\Program Files\U.S. Robotics\ControlCenter\Reminder.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINNT\wweb32.dll/lookup.html
O15 - Trusted Zone: http://www.kaspersky.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136430826218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129958443781
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8755C03C-5753-49A4-8D6B-C879FCCBD372}: NameServer = 69.67.254.2 69.67.254.3
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7EEA7F4-C0B7-4DC4-B12F-F7234136DEFC}: NameServer = 24.92.32.22,24.92.33.23
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
--
End of file - 9222 bytes
Ok very good :)
Delete this folder manually via My Computer:
C:\Program Files\Iomega\AutoDisk\bak
Then, how is the computer running? :bigthumb:
toastyme
2007-09-16, 10:49
Did it! :)
Everything's working fine! Thank you so much for taking the time and patience to help me through this! I definitely wouldn't have been able to work through it without your step-by-step instructions! :bow:
Hi again, you're very welcome :)
You can remove the tools we used.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus (http://forum.malwareremoval.com/viewtopic.php?p=53#53) and firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
toastyme
2007-09-18, 08:29
Thank you again! :D: And thank you for all those links.. I'm going to implement the ones I don't have on my system! I'll be all stocked up! :D:
That's great news and you're very welcome :D:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: