View Full Version : My computer has trojans
Doom Saber
2008-08-21, 03:00
Below are the reports for HJ and kerpersky. I think my pc has Virtumonde despite that I think spyb0t removed it since my pc still lags.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:32 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMf7127f90] Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [A00F12F0E36.exe] E:\DOCUME~1\User1\LOCALS~1\Temp\_A00F12F0E36.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c004B568 - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8014 bytes
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 09:25:42
Records in database: 1113234
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
Scan statistics:
Files scanned: 371066
Threat name: 6
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 14:28:36
File name / Threat name / Threats count
E:\WINDOWS\system32\__c0087BA4.dat/E:\WINDOWS\system32\__c0087BA4.dat Infected: Packed.Win32.PolyCrypt.d 14
MOM.exe\nwcditum.dll/MOM.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
rundll32.exe\nwcditum.dll/rundll32.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
AdobeUpdater.exe\nwcditum.dll/AdobeUpdater.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
WZQKPICK.EXE\nwcditum.dll/WZQKPICK.EXE\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
CCC.exe\nwcditum.dll/CCC.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
IEXPLORE.EXE\nwcditum.dll/IEXPLORE.EXE\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
ycommon.exe\nwcditum.dll/ycommon.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
wscntfy.exe\nwcditum.dll/wscntfy.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
E:\WINDOWS\system32\etls.dll Infected: not-a-virus:AdWare.Win32.RK.r 1
E:\WINDOWS\system32\__c004B568.dat Infected: Packed.Win32.PolyCrypt.d 1
E:\WINDOWS\system32\__c0087BA4.dat Infected: Packed.Win32.PolyCrypt.d 1
H:\Utilities2\Burn CD\CloneCD V4.3.17\SetupCloneCD4317.exe Infected: not-a-virus:AdWare.Win32.CommonName.z 1
H:\Utilities2\Internet - Network\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
H:\Utilities2\Utilities Softs\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
I:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
I:\Utilities\Burn CD\CloneCD V4.3.17\SetupCloneCD4317.exe Infected: not-a-virus:AdWare.Win32.CommonName.z 1
I:\Utilities\Internet - Network\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
I:\Utilities\Utilities Softs\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
The selected area was scanned.
----------------------------------------------
http://forums.spybot.info/showthread.php?p=100879#post100879
http://forums.spybot.info/showthread.php?p=169409#post169409
http://forums.spybot.info/showthread.php?p=201399#post201399
Doom Saber,
Your PC is infected and you posted before and never replied. We really do not have the time to analyze your log, work up a fix and to have no reply from you, you are taking us away from someone who is seriously infected and needs and wants our help. You need to reply to this thread only by using the SUBMIT REPLY and not START ANY NEW TOPICS If this topic is not replied to in 5 days this thread will be closed and no other help will be offered to you.
Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.
Doom Saber
2008-08-24, 05:35
Sorry for not replying before. I seriously did need you help last time and this time and I apologize if I wasted your guy's time and resources. Just that at the time of the previous topics, I couldn't post on time because of my personal matters. However, since I am out of college, I promise I can post within 5 days.
This is the first time this pc has been infected since previously, I would asked for help on my other pc, which was cleaned thanks to you guys.
Lastly, if my pcs are infected again with something serious like for instance, this pc having virtunmonde, do I make a new topic to reflect the trojan it has or continue from this thread? Thanks and I am so sorry about not replying to the previous topics.
Here is my Hijackthis! log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:55 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\WINDOWS\system32\Rundll32.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMf7127f90] Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8152 bytes
And here is my antimalware log:
Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2
8:26:24 PM 8/23/2008
mbam-log-08-23-2008 (20-26-24).txt
Scan type: Quick Scan
Objects scanned: 59395
Time elapsed: 7 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 31
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
E:\WINDOWS\system32\nwcditum.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c0087BA4.dat (Trojan.Agent) -> Delete on reboot.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004b568 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0087ba4 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf7127f90 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f12f0e36.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
E:\WINDOWS\system32\nwcditum.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\ynpqjafw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
E:\Documents and Settings\User1\Local Settings\Temp\_A00F12F0E36.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c0087BA4.dat (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c004B568.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\iifgFYsP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\BMf7127f90.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\BMf7127f90.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\users_rating.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\protect.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\logo_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\features.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\download_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\buy_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\5_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\4_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.
Hello,
Just stay in this topic by using the Submit Reply.
Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s
O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe
Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, uses system resources and basically is not needed for anything.
Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
This program is for XP and Windows 2000 only
Double-click [b]ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.
In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net
2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Doom Saber
2008-08-25, 01:40
Hello,
I followed the steps in performing the combofix application and this is the report I have gotten. Not sure if I did anything wrong:
ComboFix 08-08-23.03 - User1 2008-08-24 16:26:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]
Running from: E:\Documents and Settings\User1\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
Here is the hjt log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39, on 2008-08-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7698 bytes
I need to see the entire Combofix log, you can find it here C:\ComboFix.txt
Doom Saber
2008-08-25, 22:39
Hello again,
I notice that the reason why l can't find the the C:\combofix.txt (or in my case, E:\combofix.txt) is that the program reboots my pc when the combofix program is scanning for trojan, resulting in no log file. Anyway to fix this? Thanks.
Lets run Combofix again, I am sure it found bad entries and maybe this time you can find the log
Post a new HJT log also please
Doom Saber
2008-08-26, 00:58
Hi,
I decided to run the combofix via safe boot, which allowed the program to start w/o crashing:
ComboFix 08-08-23.03 - Administrator 2008-08-25 15:41:26.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.372 [GMT -7:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\xcrashdump.dat
E:\Documents and Settings\User1\Application Data\inst.exe
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\#SharedObjects\WSFSK2B3\interclick.com
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\#SharedObjects\WSFSK2B3\interclick.com\ud.sol
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
E:\WINDOWS\system32\fravvwlp.ini
E:\WINDOWS\system32\moqAbJlm.ini
E:\WINDOWS\system32\moqAbJlm.ini2
.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.
2008-08-23 20:17 . 2008-08-23 20:17 <DIR> d-------- E:\Documents and Settings\User1\Application Data\Malwarebytes
2008-08-23 20:17 . 2008-08-17 15:05 17,144 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 20:16 . 2008-08-23 20:17 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 20:16 . 2008-08-23 20:16 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 20:16 . 2008-08-17 15:05 38,472 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 20:10 . 2004-03-09 00:00 1,081,616 --a------ E:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-20 19:52 . 2008-08-20 19:52 <DIR> d-------- E:\nup
2008-08-17 21:35 . 2008-08-17 21:37 <DIR> d-------- E:\Program Files\Spybot2 - Search & Destroy
2008-08-13 10:51 . 2008-08-13 10:51 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-08-07 14:00 . 2008-08-07 14:00 <DIR> d-------- E:\Program Files\American McGee's Grimm
2008-07-25 19:08 . 2008-07-25 19:09 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\WinZip
2008-07-25 18:37 . 2008-07-25 19:03 87 --a------ E:\WINDOWS\MC32.INI
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 20:17 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 23:08 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-21 01:22 --------- d-----w E:\Program Files\EsetOnlineScanner
2008-08-19 17:01 --------- d-----w E:\Documents and Settings\User1\Application Data\uTorrent
2008-08-19 03:02 --------- d-----w E:\Program Files\Java
2008-08-18 15:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 14:47 --------- d-----w E:\Documents and Settings\User1\Application Data\Yahoo!
2008-08-07 21:30 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-07-24 03:06 308,134 ----a-w E:\WINDOWS\java\Packages\NDJVNN3B.ZIP
2008-07-22 19:01 --------- d-----w E:\Documents and Settings\User1\Application Data\vlc
2008-07-09 12:05 43,872 ------w E:\WINDOWS\system32\drivers\pxhelp20.sys
2008-07-09 12:05 129,520 ------w E:\WINDOWS\system32\pxafs.dll
2008-07-09 12:05 120,568 ------w E:\WINDOWS\system32\pxcpyi64.exe
2008-07-09 12:05 118,256 ------w E:\WINDOWS\system32\pxinsi64.exe
2008-07-04 06:33 3,230,720 ----a-w E:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 04:05 593,920 ------w E:\WINDOWS\system32\ati2sgag.exe
2008-07-04 03:48 9,490,432 ----a-w E:\WINDOWS\system32\atioglx2.dll
2008-07-04 03:25 421,888 ----a-w E:\WINDOWS\system32\ATIDEMGX.dll
2008-07-04 03:23 309,248 ----a-w E:\WINDOWS\system32\ati2dvag.dll
2008-07-04 03:14 26,112 ----a-w E:\WINDOWS\system32\Ati2mdxx.exe
2008-07-04 03:14 184,320 ----a-w E:\WINDOWS\system32\atipdlxx.dll
2008-07-04 03:14 143,360 ----a-w E:\WINDOWS\system32\Oemdspif.dll
2008-07-04 03:13 43,520 ----a-w E:\WINDOWS\system32\ati2edxx.dll
2008-07-04 03:13 139,264 ----a-w E:\WINDOWS\system32\ati2evxx.dll
2008-07-04 03:12 561,152 ----a-w E:\WINDOWS\system32\ati2evxx.exe
2008-07-04 03:10 53,248 ----a-w E:\WINDOWS\system32\ATIDDC.DLL
2008-07-04 03:06 253,952 ----a-w E:\WINDOWS\system32\atiok3x2.dll
2008-07-04 03:00 3,786,144 ----a-w E:\WINDOWS\system32\ati3duag.dll
2008-07-04 02:55 307,200 ----a-w E:\WINDOWS\system32\atiiiexx.dll
2008-07-04 02:49 2,140,672 ----a-w E:\WINDOWS\system32\ativvaxx.dll
2008-07-04 02:34 48,640 ----a-w E:\WINDOWS\system32\amdpcom32.dll
2008-07-04 02:30 348,160 ----a-w E:\WINDOWS\system32\atikvmag.dll
2008-07-04 02:29 32,768 ----a-w E:\WINDOWS\system32\atiadlxx.dll
2008-07-04 02:28 53,248 ----a-w E:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-04 02:28 17,408 ----a-w E:\WINDOWS\system32\atitvo32.dll
2008-07-04 02:25 5,439,488 ----a-w E:\WINDOWS\system32\atioglxx.dll
2008-07-04 02:22 565,248 ----a-w E:\WINDOWS\system32\ati2cqag.dll
2008-07-03 06:52 --------- d-----w E:\Program Files\iTunes
2008-07-02 05:59 --------- d-----w E:\Program Files\Yahoo! Games
2008-06-30 18:56 --------- d-----w E:\Documents and Settings\User1\Application Data\PC Tools
2008-06-26 05:51 --------- d-----w E:\Program Files\Sun
2008-06-26 05:11 --------- d-----w E:\Program Files\CA Yahoo! Anti-Spy
2008-06-26 05:04 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-26 04:55 --------- d-----w E:\Program Files\Yahoo!
2008-06-26 04:55 --------- d-----w E:\Program Files\Common Files\Scanner
2008-06-26 04:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-21 08:45 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-06-20 17:41 245,248 ----a-w E:\WINDOWS\system32\mswsock.dll
2007-09-19 21:54 47,360 ----a-w E:\Documents and Settings\User1\Application Data\pcouffin.sys
2005-02-28 03:07 271 --sha-w E:\Program Files\desktop.ini
2005-02-28 03:07 23,357 ----a-w E:\Program Files\folder.htt
.
------- Sigcheck -------
2007-05-31 11:40 502272 6e8ca4fcb30282f216f5db9dd58a5f81 E:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,752 2006-12-22 14:29:56 E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe
----a-w 39,792 2007-10-11 03:51:56 E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2007-10-11 02:51:56 E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
----a-r 2,321,600 2007-03-01 17:37:52 E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
----a-r 2,321,600 2007-03-01 17:37:52 E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
----a-w 153,136 2007-03-01 22:57:24 E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe
----a-w 36,975 2005-04-13 10:48:52 E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe
----a-w 2,037,352 2007-03-29 03:41:26 E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe
----a-w 98,304 2003-07-14 19:30:26 E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe
----a-w 185,456 2007-06-01 02:05:00 E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe
----a-w 230,512 2007-06-01 02:05:00 E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe
----a-w 129,536 2006-07-21 23:19:46 E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe
----a-w 4,670,968 2007-03-02 01:11:26 E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE
----a-w 407,032 2006-07-21 17:43:10 E:\Program Files\Yahoo!\YOP\bak\yop.exe
----a-w 1,103,480 2007-03-05 21:57:48 H:\Program Files\Download Manager\bak\DLM.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 13:56 160496 --a------ E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-05-16 09:27 16944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"StartCCC"="E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"PWRISOVM.EXE"="E:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 16:50 233472]
"e-Trends Software Installation Helper"="E:\WINDOWS\system32\ehelper.exe" [2008-03-24 23:18 217110]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [N/A]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 09:41 223984]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Cmaudio"="cmicnfg.cpl" [N/A]
"NWEReboot"="" [N/A]
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - H:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= E:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= E:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"E:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"E:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"G:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\Program Files\\AIM6\\aim6.exe"=
*Newly Created Service* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder
2008-08-19 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -
Notify-WgaLogon - (no file)
.
------- Supplementary Scan -------
.
O16 -: Microsoft XML Parser for Java - file://E:\WINDOWS\Java\classes\xmldso.cab
E:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
O16 -: Yahoo! Word Racer - hxxp://origin.games.yahoo.net/games/clients/y/wt1_x.cab
E:\WINDOWS\Downloaded Program Files\Yahoo! Word Racer.osd
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 15:46:14
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-25 15:51:14
ComboFix-quarantined-files.txt 2008-08-25 22:51:10
Pre-Run: 555,528,192 bytes free
Post-Run: 887,107,584 bytes free
177 --- E O F --- 2008-07-09 10:01:03
hijackthis! report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2008-08-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\WINDOWS\system32\ehelper.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Registry Mechanic\RegMech.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\internet explorer\iexplore.exe
E:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7734 bytes
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and their backups and then restore them.
Please download FindAWF (http://noahdfear.geekstogo.com/FindAWF.exe) and save it to your desktop
* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.
**Do not run any other option unless directed to do so.**
Doom Saber
2008-08-26, 05:59
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2008-08-25
The current time is: 19:38:55.45
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK
2006-12-22 07:29 67,752 apdproxy.exe
1 File(s) 67,752 bytes
Directory of E:\PROGRA~1\NORTON~1\AGENT\BAK
2007-03-28 20:41 2,037,352 VProTray.exe
1 File(s) 2,037,352 bytes
Directory of E:\PROGRA~1\YAHOO!\ANTIVI~1\BAK
2007-05-31 19:05 185,456 CAVRID.exe
2007-05-31 19:05 230,512 CAVTray.exe
2 File(s) 415,968 bytes
Directory of E:\PROGRA~1\YAHOO!\BROWSER\BAK
2006-07-21 16:19 129,536 ybrwicon.exe
1 File(s) 129,536 bytes
Directory of E:\PROGRA~1\YAHOO!\MESSEN~1\BAK
2007-03-01 18:11 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes
Directory of E:\PROGRA~1\YAHOO!\YOP\BAK
2006-07-21 10:43 407,032 yop.exe
1 File(s) 407,032 bytes
Directory of E:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
2007-10-10 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of E:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
2007-03-01 15:57 153,136 NeroCheck.exe
1 File(s) 153,136 bytes
Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes
Directory of E:\PROGRA~1\SBCYAH~1\CONNEC~1\IPINSI~1\BAK
2003-07-14 12:30 98,304 IPMon32.exe
1 File(s) 98,304 bytes
Directory of H:\PROGRA~1\DOWNLO~1\BAK
2007-03-05 14:57 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\bak\yop.exe"
29696 Sep 23 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
153136 Mar 1 2007 "E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
155648 Jul 9 2001 "I:\Backups\IBM\WINDOWS\system32\NeroCheck.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Mar 25 2008 "E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\bak\DLM.exe"
1103480 Mar 5 2007 "I:\Program Files\IGN\Download Manager\DLM.exe"
end of report
Double-click FindAWF.exe to start the tool.
* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
"E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
"E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
"E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
"E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
"E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
"E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"E:\Program Files\Yahoo!\YOP\bak\yop.exe"
"E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
"E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
"H:\Program Files\Download Manager\bak\DLM.exe"
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Doom Saber
2008-08-27, 00:44
Hello again,
here is the awf report:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2008-08-26
The current time is: 14:30:21.87
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK
2006-12-22 07:29 67,752 apdproxy.exe
1 File(s) 67,752 bytes
Directory of E:\PROGRA~1\NORTON~1\AGENT\BAK
2007-03-28 20:41 2,037,352 VProTray.exe
1 File(s) 2,037,352 bytes
Directory of E:\PROGRA~1\YAHOO!\ANTIVI~1\BAK
2007-05-31 19:05 185,456 CAVRID.exe
2007-05-31 19:05 230,512 CAVTray.exe
2 File(s) 415,968 bytes
Directory of E:\PROGRA~1\YAHOO!\BROWSER\BAK
2006-07-21 16:19 129,536 ybrwicon.exe
1 File(s) 129,536 bytes
Directory of E:\PROGRA~1\YAHOO!\MESSEN~1\BAK
2007-03-01 18:11 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes
Directory of E:\PROGRA~1\YAHOO!\YOP\BAK
2006-07-21 10:43 407,032 yop.exe
1 File(s) 407,032 bytes
Directory of E:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
2007-10-10 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of E:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
2007-03-01 15:57 153,136 NeroCheck.exe
1 File(s) 153,136 bytes
Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes
Directory of E:\PROGRA~1\SBCYAH~1\CONNEC~1\IPINSI~1\BAK
2003-07-14 12:30 98,304 IPMon32.exe
1 File(s) 98,304 bytes
Directory of H:\PROGRA~1\DOWNLO~1\BAK
2007-03-05 14:57 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\ybrwicon.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\bak\yop.exe"
29696 Sep 23 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
153136 Mar 1 2007 "E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
155648 Jul 9 2001 "I:\Backups\IBM\WINDOWS\system32\NeroCheck.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
144784 Mar 25 2008 "E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPMon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\DLM.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\bak\DLM.exe"
1103480 Mar 5 2007 "I:\Program Files\IGN\Download Manager\DLM.exe"
end of report
Hi,
Before we go any further, go to your Add Remove Programs in the Control Panel and uninstall the following programs. These are all Java related , they should have a little coffee cup icon next to them.
jre1.5.0_03
jre1.6.0_01
jre1.6.0_06
Keep this one, do not uninstall it
jre1.6.0_07
Double-click FindAWF.exe to start the tool.
Select option #3 - Remove bak folders by typing 3 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file:
E:\Program Files\Adobe\Photoshop Elements 5.0\bak
E:\Program Files\Norton Ghost\Agent\bak
E:\Program Files\Yahoo!\Antivirus\bak
E:\Program Files\Yahoo!\browser\bak
E:\Program Files\Yahoo!\Messenger\bak
E:\Program Files\Yahoo!\YOP\bak
E:\Program Files\Adobe\Reader 8.0\Reader\bak
E:\Program Files\Common Files\Adobe\Updater5\bak
E:\Program Files\Common Files\Ahead\Lib\bak
E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak
H:\Program Files\Download Manager\bak
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Doom Saber
2008-08-27, 11:07
Hi,
I am wondering if there is another way to delete programs other than add/remove? I am having problems findin jre1.5.0_03 when l follow your steps in goin to control panal and using add/remove programs to get rid of it since it is not there; I was able to remove the other ones, though. Thank you.
Good Morning,
Lets not worry about that one right now, go ahead and run Option #3
Doom Saber
2008-08-27, 22:15
Morning,
Here is the log for AWF:
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2008-08-27
The current time is: 12:50:43.60
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
end of report
Hello,
I will explain in a bit what we're doing.
Open Hijackthis
Go to Misc Tools> Open Uninstall Manager.
Click on Save List.
The list will open in Notepad.
Copy and Paste the List into this thread
* Double-click FindAWF.exe to start the tool.
* Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
* When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.
**Do not run any other option unless directed to do so.**
Doom Saber
2008-08-28, 03:59
Hello,
here are the hijackthis and awf
2Wire Wireless Client
7-Zip 4.57
Action Replay Code Manager
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 5.0.2 Patcher
Adobe Photoshop Lightroom 2
Adobe Reader 8.1.1
AIM 6
American McGee's Grimm: A Boy Learns What Fear Is
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Applications
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
CA Yahoo! Anti-Spy (remove only)
CCleaner (remove only)
C-Media 3D Audio
DLDIrc
DVD Shrink 3.2
DVDFab Platinum 3.1.8.0
ESET Online Scanner
e-Trends Software Installation Helper
Free Games Offer, Desktop Shortcut
GameTap
Guild Wars
Hellgate: London
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Image Editor
IsoBuster 2.4
iTunes
Java(TM) 6 Update 7
LEGO Digital Designer
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MP3 Workshop XP 2.00
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
neroxml
Norton Ghost
NVIDIA nForce Drivers
OpenOffice.org Installer 1.0
PlayNC Launcher
PowerISO
Print Server Driver
QuickTime
Registry Mechanic 8.0
Samsung PC Studio Samples 1.0
Samsung PC Studio 1.0 PIM & File Manager
SBC Yahoo! DSL Home Networking Installer
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Spybot - Search & Destroy 1.4
Spyware Doctor 5.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6i
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
WinZip 11.2
World of Warcraft
Yahoo! Search Protection
YAMAHA Wave Sound Decorator
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2008-08-27
The current time is: 18:38:37.59
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
end of report
Hello,
All I see on your Add Remove for Java is the latest version so lets not worry about that now.
This is what has happened, you got infected with the latest version of Vundo which included a file infector, this trojan basically replaced its own infected copy of a file into the programs that we are working on so that when you run that program the infected file does its nasty work. With FindAWF we are attempting to replace the infected file with the legit back up and then delete the backup. Out of all those programs, only two remain that did not take so we need to run the tool again and attempt to remove the remaining infected file.
Double-click FindAWF.exe to start the tool.
* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Doom Saber
2008-08-29, 03:40
Hello,
Ah, so that is why I wasn't able to find Jre1.5.0_03 on my add/remove dialog box. Thanks. Below is my report from AWF:
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2008-08-28
The current time is: 18:14:34.10
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
end of report
Double-click FindAWF.exe to start the tool.
Select option #3 - Remove bak folders by typing 3 and press 'Enter'
A text file will open up. Please copy/paste the following bolded text into the text file:
E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
It looks like Adobe did not take for some reason, lets see how this comes out and we can try Adobe again in a bit
Doom Saber
2008-08-29, 05:29
Hi,
I am a bit suprised of that Adobe does not get deleted either. Below is the awf report:
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2008-08-28
The current time is: 19:55:37.06
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
end of report
They have all been fixed except Adobe, Lets try one more time and if it fails than we can just uninstall it.
Double-click FindAWF.exe to start the tool.
* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:
"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.
Please post the results of the awf.txt here.
Doom Saber
2008-08-29, 21:09
hello,
It seems that it is still there. :(
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2008-08-29
The current time is: 11:36:44.45
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
end of report
Run this through Option # 3 and post the report
E:\Program Files\Common Files\Adobe\Updater5\bak
Doom Saber
2008-08-30, 04:50
hello,
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: 2008-08-29
The current time is: 11:36:44.45
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
end of report
Doom Saber
2008-08-30, 06:43
My bad,
I accidently reposted the previous awf list by mistake. Here is the correct log:
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: 2008-08-29
The current time is: 19:21:45.65
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
end of report
Morning,
This one won't fix and it appears its related to Adobe Reader, so uninstall this program from the Add Remove Programs in the Control Panel and then reboot and run Option #1 for FindAWF.
Lets hope this removes it, if not we may need to uninstall all of Adobe, do you have the disks for Adobe in case we need to reinstall.
I will be away today and won't be back online until tomorrow morning so if I don't get right back to you don't panic.
Ken:)
Doom Saber
2008-09-01, 23:59
Hi,
I removed the acrobat program through add/remove and run awf, resultin in the following report:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2008-09-01
The current time is: 14:46:10.01
bak folders found
~~~~~~~~~~~
Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK
2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
end of report
Een with the removal of the program, the acrobat seems to still be on the pc. Thanks.
-Ritchie
One of the pitfalls of getting infected is you never know what this garbage is going to do, we can't leave this on your system or you take the chance of it reinfecting yourself. It appears that Adobe Photoshop Elements has been fixed so all this appears to be from the reader. Do you have the disk for Photoshop Elements in case you have to reinstall it????
Delete the folders in red
C:\Program Files\Adobe
E:\Program Files\Common Files\Adobe
E:\Program Files\Adobe\Reader 8.0
H:\Utilities1\Update\Acrobat 6.0
I:\Backups\IBM\Program Files\Adobe
I:\Backups\Dell\Dell86\Program Files\Adobe
Reboot and see if Elements is still working and run Option #1 for FindAWF
Doom Saber
2008-09-04, 08:56
THanks since I think we fixed the problem
Element crashes, but no one uses it anymore, so I don't have to install it back on. As for the log:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2008-09-03
The current time is: 23:46:49.31
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Great :bigthumb:
Sorry about Element but that infection was tied in there pretty well. I would uninstall Element from the Add Remove Programs and then do a clean install.
Post a new HJT log and lets make sure nothing has come back.
Doom Saber
2008-09-05, 05:43
Hi,
I think the threat is gonbe because I installed the application a 2nd time and ran awf. Below is the log:
Find AWF report by noahdfear ©2006
Version 1.40
The current date is: 2008-09-04
The current time is: 20:33:59.42
bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
Thanks for the help especially how you were patient in helpin me remove the trojans. I am glad it is gone and if I have any trojans in the future, I will make a new comment to this topic rather than makin a new thread. Thank you!
Doom Saber
2008-09-05, 05:45
I realized I posted the log for awf and not hijackthis. Below is the hijackthis report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:44, on 2008-09-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\2Wire\2PortalMon.exe
E:\Program Files\Registry Mechanic\RegMech.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\AIM6\aim6.exe
E:\Program Files\AIM6\aolsoftware.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
E:\WINDOWS\system32\notepad.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7709 bytes
Hello,
I have few things to ask you about some entries on your log.
http://answers.yahoo.com/question/index?qid=20080802123546AAWnM3o
Remove this with HJT
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
E:\WINDOWS\system32\ehelper.exe <-- Delete this file
This may be bad unless you installed it, I am getting mixed reviews on this. It was not on your original HJT log, have you just installed this???
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)
Good
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
Bad
PsExec is a light weight Telnet program that is used by Backdoor Trojans. It
can be installed remotely through an open/unsecure NetBios connection. You can disable the service and remove the file, but if your machine has been open to a backdoor, there is no telling what they may have done. The only safe fix is to wipe the disk and reinstall.
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
E:\WINDOWS\PSEXESVC.EXE
Doom Saber
2008-09-06, 00:14
Hello,
I have removed e-trends with Hjt. I installed it on my pc at the beginning of summer after seein it printed on a grocery receipt. I thought it was legit since it had an invitional code attatched to it; it claimed to offer the consumer money if they had it on their pc for a month I think. However, I had never gotten payment from them and now I think it is a hoax to put adware onto pcs, thanx to the yahoo answers site you have shown me.
As for PSEXESVC.EXE, I do not have the slightest clue where that came from and couldn't find it to add to virustotal even when I have the show hidden folders option enabled and the hide protected system files unchecked. Are there any other options to have the file show up since I really want to post it to you to see if it is corrupted.
-Ritchie
Ritchie,
You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.
E:\WINDOWS\PSEXESVC.EXE
Doom Saber
2008-09-06, 07:14
Hello,
Unforunately, after followin the instructions on the url you posted (http://www.xtra.co.nz/help/0,,4155-1916458,00.html) to allow Windows XP to view hidden files, PSEXESVC.exe is still not there. A bit odd.
-Ritchie
Lets disable the service but not remove it , if you get any squawks from windows just reverse this.
Go to Start> Run and type in services.msc then press Enter
Scroll down to PsExec
Double Click that service to open it.
Click on Stop Service.
Then change the Startup Type to Disabled.
OK your way out of the program.
Doom Saber
2008-09-08, 02:38
Thanks
I managed to disable the psEXEC.
If you did not have any issues with it disabled and you did not install that program yourself than lets remove it.
Open HJT > Misc Tools > Delete an NT Service
Type in PSEXESVC
Then click on OK, it will ask you to reboot, do so.
Post a new HJT log and let me know how things are running now?
Doom Saber
2008-09-09, 11:33
I have not really ran into any problems other than my web window box freezin when my harddrive memory is low, but that usually happens before I had virtumunde
Here is the hjt report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:26, on 2008-09-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\2Wire\2PortalMon.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
E:\Program Files\Registry Mechanic\RegMech.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\uTorrent\uTorrent.exe
E:\Program Files\Yahoo!\browser\ybrwicon.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
--
End of file - 7365 bytes
Looking good :bigthumb: How is everything running now ?
Doom Saber
2008-09-11, 08:13
Thanks,
Everything is running fine. I guess there isnt any more problems, so thanks for helpin me and whenever I run in more trojans down the road, I will make a reply to this topic. Thank you so much!!!
-Ritchie
Hello Ritchie,
Glad things are running better for you. :bigthumb: What happens in this forum is that this thread will be closed in a few days so if you have issues in the future and this is closed you can just start a New Topic and post a new HJT log and myself or one of our excellent staff will pick it up.
FindAWF<---Drag it to the trash
ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.
Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.
Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
The above procedure will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)
Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.
Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
Safe Surfn
Ken
Doom Saber
2008-09-13, 12:23
Sprry to bother, but I have one last query before this topic closes. If I were to make another topic about gettin infected in the future (if the programs posted above cannot get rid of the trojans,) would it be alright? I asked since I had warnings for not replyin to my topics in the past and do not want to make the same mistake with this topic. Thanks
If I can, feel free to close this topic.
-Ritchie
Good Morning Ritchie,
All systems are different as are all infections, I would not run any of the tools we ran before you post a log as it will take away clues as to what the infection is. Do not run Combofix on your own, its a powerful tool that can damage your system if not run correctly and this forum, myself and sUBs will not be responsible for the outcome. Its best to just start a new thread and post a HJT log explaining your symptoms. If you don't get a reply in a few days you can PM me with the link to your thread.
Take care,
Ken:)