Malware Attack...Please Help

[pskelley]

Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\Program Files\mcafee.com\antivirus\bak\mcvsescn.exe
C:\Program Files\mcafee.com\antivirus\bak\oasclnt.exe
C:\Program Files\mcafee.com\personal firewall\bak\MPfTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe
C:\Program Files\Real\RealPlayer\bak\RealPlay.exe
C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe
C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe
C:\Program Files\Common Files\AOL\1150817884\ee\bak\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1150817884\ee\bak\SSCRun.exe

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.

 

[Smoke_O]

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 07/02/2008
The current time is: 4:36:23.78


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

08/28/2006 07:16 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/19/2006 11:18 PM 114,688 hkcmd.exe
06/19/2006 11:19 PM 155,648 igfxtray.exe
2 File(s) 270,336 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\ANTIVI~1\BAK

10/19/2005 01:13 PM 460,336 mcvsescn.exe
08/18/2005 05:57 PM 116,272 oasclnt.exe
2 File(s) 576,608 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

03/07/2006 04:05 PM 992,808 MPfTray.exe
1 File(s) 992,808 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

08/02/2002 02:41 PM 110,592 mm_tray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

06/21/2006 04:29 AM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 08:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 04:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115081~1\EE\BAK

09/25/2006 08:52 PM 50,736 AOLSoftware.exe
11/20/2006 04:42 PM 153,168 SSCRun.exe
2 File(s) 203,904 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115081~1\EE\SERVICES\SAFETY~2\VER210~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

413696 Mar 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
98304 Aug 28 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
114688 Jun 19 2006 "C:\WINDOWS\system32\hkcmd.exe"
114688 Jul 10 2003 "C:\WINNT\system32\hkcmd.exe"
114688 Jun 19 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 May 14 2002 "C:\WINNT\LastGood\System32\hkcmd.exe"
114688 Jun 19 2006 "C:\CABS\Winxp\Display\82845GGL\hkcmd.exe"
114688 Jun 19 2006 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
114688 May 14 2002 "C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
155648 Jun 19 2006 "C:\WINDOWS\system32\igfxtray.exe"
155648 Jul 10 2003 "C:\WINNT\system32\igfxtray.exe"
155648 Jun 19 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 May 14 2002 "C:\WINNT\LastGood\System32\igfxtray.exe"
155648 Jun 19 2006 "C:\CABS\Winxp\Display\82845GGL\igfxtray.exe"
155648 Jun 19 2006 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
155648 May 14 2002 "C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
460336 Oct 19 2005 "C:\Program Files\mcafee.com\antivirus\bak\mcvsescn.exe"
116272 Aug 18 2005 "C:\Program Files\mcafee.com\antivirus\bak\oasclnt.exe"
992808 Mar 7 2006 "C:\Program Files\mcafee.com\personal firewall\bak\MPfTray.exe"
110592 Aug 2 2002 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
135168 Sep 3 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\ChanDir\MMJB\mm_tray.exe"
26112 Aug 29 2007 "C:\Program Files\Real\RealPlayer\realplay.exe"
26112 Jun 21 2006 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
48280 Mar 10 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\bak\AOLSoftware.exe"
153168 Nov 20 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\bak\SSCRun.exe"


end of report

 

[pskelley]

Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\mcafee.com\antivirus\bak
C:\Program Files\mcafee.com\antivirus\bak
C:\Program Files\mcafee.com\personal firewall\bak
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak
C:\Program Files\Real\RealPlayer\bak
C:\Program Files\Common Files\AOL\ACS\bak
C:\Program Files\Java\jre1.5.0_10\bin\bak
C:\Program Files\Common Files\AOL\1150817884\ee\bak
C:\Program Files\Common Files\AOL\1150817884\ee\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply

 

[Smoke_O]

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Wed 07/02/2008
The current time is: 9:16:34.54


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 08:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115081~1\EE\SERVICES\SAFETY~2\VER210~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"


end of report

 

[pskelley]

Double-click FindAWF.exe to start the tool.

Select option #4 - Reset domain zones by typing 4 and press 'Enter'
You will receive a warning to reset domain zones
Press 1 then press Enter.
If you have manually included sites in the trusted zones, these will need to be re-inserted.


Restart the computer and scan for a new combofix log and post it along with a fresh HJT log.

Thanks

 

[Smoke_O]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:05:50 PM, on 7/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1150817884\ee\aolsoftware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\America Online 9.0e\waol.exe
C:\Program Files\America Online 9.0e\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1150817884\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0e\AOL.EXE" -b
O4 - Global Startup: ZyXEL G-220 v2 Wireless Adapter Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8125 bytes

 

[Smoke_O]

ComboFix 08-07-05.1 - Owner 2008-07-07 12:34:29.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.714 [GMT -4:00]
Running from: C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blphcefhj0er0g.scr
C:\WINDOWS\system32\phcefhj0er0g.bmp

.
((((((((((((((((((((((((( Files Created from 2008-06-07 to 2008-07-07 )))))))))))))))))))))))))))))))
.

2008-07-02 04:36 . 2006-06-19 23:19 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-07-02 04:36 . 2006-06-19 23:18 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-06-26 18:41 . 2008-06-26 18:41 <DIR> d-------- C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer
2008-06-26 18:38 . 2008-06-26 18:41 <DIR> d-------- C:\Program Files\AXPFixer
2008-06-24 12:17 . 2008-06-24 12:17 <DIR> d-------- C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g
2008-06-17 03:53 . 2008-06-21 15:28 <DIR> d--hs---- C:\WINDOWS\T2x1aWdibw
2008-06-16 14:20 . 2008-06-16 14:20 <DIR> d-------- C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\Malwarebytes
2008-06-16 14:19 . 2008-06-16 14:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-16 14:19 . 2008-06-16 14:19 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-16 14:19 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-16 14:19 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 00:29 . 2008-06-16 00:29 4,286 --a------ C:\WINDOWS\system32\Jamster.ico
2008-06-15 02:51 . 2008-06-15 02:51 <DIR> d-------- C:\Documents and Settings\Administrator.OLUIGBO-9MC03P2\Application Data\Viewpoint
2008-06-15 02:50 . 2008-06-15 02:50 <DIR> d-------- C:\Documents and Settings\Administrator.OLUIGBO-9MC03P2\Application Data\AOL
2008-06-15 02:49 . 2008-06-15 02:49 <DIR> d-------- C:\Documents and Settings\Administrator.OLUIGBO-9MC03P2
2008-06-15 02:15 . 2008-06-15 02:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 02:03 . 2008-06-15 02:03 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-15 02:03 . 2008-06-15 02:03 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2008-06-15 01:20 . 2008-06-15 01:20 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-15 01:06 . 2002-09-03 09:00 4,224 --a------ C:\WINDOWS\system32\beep.sys
2008-06-15 01:05 . 2008-06-15 01:05 <DIR> d-------- C:\Program Files\uTorrent
2008-06-15 01:05 . 2008-06-21 15:30 <DIR> d-------- C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\uTorrent
2008-06-10 16:45 . 2008-06-13 09:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 13:16 --------- d-----w C:\Program Files\QuickTime
2008-06-29 15:12 --------- d-----w C:\Program Files\Viewpoint
2008-06-29 15:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Viewpoint
2008-06-27 04:39 316 ----a-w C:\drmHeader.bin
2008-06-27 02:26 --------- d-----w C:\Program Files\DivX
2008-06-26 09:36 16,896 ----a-w C:\WINDOWS\system32\svchost.exe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-23 15:16 --------- d-----w C:\Program Files\MSXML 4.0
2008-05-22 22:22 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-05-22 22:22 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:22 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-22 22:22 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-22 22:22 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-22 07:29 --------- d-----w C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\Apple Computer
2008-05-15 20:08 --------- d-----w C:\Program Files\iTunes
2008-05-15 20:07 --------- d-----w C:\Program Files\iPod
2008-05-15 20:06 --------- d-----w C:\Program Files\Bonjour
2008-05-15 20:04 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple Computer
2008-05-15 20:03 --------- d-----w C:\Program Files\Apple Software Update
2008-05-15 20:02 --------- d-----w C:\Program Files\Common Files\Apple
2008-05-15 20:02 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Apple
2008-05-14 04:29 --------- d-----w C:\Program Files\Movie Joiner
2008-05-13 21:01 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Motive
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 07:04 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2006-08-11 00:47 17,528 ----a-w C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\GDIPFONTCACHEV1.DAT
2003-11-15 20:22 58,264 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2005-07-29 20:24 472 --sha-r C:\WINDOWS\T2x1aWdibw\nZUYuqx2vT.vbs
.

------- Sigcheck -------

2002-09-03 09:00 12800 0f7d9c87b0ce1fa520473119752c6f79 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2004-08-04 03:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2008-06-26 05:36 16896 35de7705f9fb23992740523b5c9fdac5 C:\WINDOWS\system32\svchost.exe

2002-09-03 09:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 03:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2004-08-04 03:56 505856 481addbb21037489eacfcb308b1be2b0 C:\WINDOWS\system32\winlogon.exe

2007-06-13 06:23 1035264 666c5d9dbced0cdfd48285103f8e2808 C:\WINDOWS\explorer.exe
2007-06-13 07:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2002-09-03 09:00 1004032 a82b28bfc2e4455fe43022a498c0ef0a C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 03:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2004-08-04 03:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2002-09-03 09:00 101376 e3df4a0252d287c44606ee55355e1623 C:\WINDOWS\$NtServicePackUninstall$\services.exe
2004-08-04 03:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\ServicePackFiles\i386\services.exe
2004-08-04 03:56 110080 77f48ea251a503aae5fc0e7af4a425d7 C:\WINDOWS\system32\services.exe

2002-09-03 09:00 11776 b2b6ba905d0e3f8a32a0eb3b4051807b C:\WINDOWS\$NtServicePackUninstall$\lsass.exe
2004-08-04 03:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\ServicePackFiles\i386\lsass.exe
2004-08-04 03:56 14336 d1320ba74a3866c2859b0518080cf84c C:\WINDOWS\system32\lsass.exe

2005-06-10 19:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\$hf_mig$\KB896423\SP2GDR\spoolsv.exe
2005-06-10 20:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 19:55 53248 6b4bf97957a0b8795811975d4bf1acfe C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 03:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2002-09-03 09:00 51200 9b4155ba58192d4073082b8fc5d42612 C:\WINDOWS\$NtUninstallKB896423_0$\spoolsv.exe
2004-08-04 03:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2005-06-10 19:53 58368 e1f9dbda12cbef81cf3d771d45c7dea5 C:\WINDOWS\system32\spoolsv.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-28_13.07.31.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-28 16:49:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-07 03:08:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL Fast Start"="C:\Program Files\America Online 9.0e\AOL.EXE" [2005-07-12 06:17 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2006-06-19 23:19 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2006-06-19 23:18 114688]
"HostManager"="C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe" [2006-03-10 18:22 48280]
"MMTray"="C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [N/A]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [N/A]
"AOLSPScheduler"="C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe" [2006-11-20 16:42 8784]
"sscRun"="C:\Program Files\Common Files\AOL\1150817884\ee\SSCRun.exe" [N/A]
"OASClnt"="C:\Program Files\mcafee.com\antivirus\oasclnt.exe" [N/A]
"EmailScan"="C:\Program Files\mcafee.com\antivirus\mcvsescn.exe" [N/A]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" [N/A]
"MPFExe"="C:\Program Files\mcafee.com\personal firewall\MPfTray.exe" [N/A]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 17:42 79448]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-08-29 19:02 26112]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-06-06 19:52 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 15:20 2061816]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ZyXEL G-220 v2 Wireless Adapter Utility.lnk - C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe [2007-09-17 16:11:27 10891264]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgm.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\seppgs.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2002-10-03 20:50 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2007-08-29 19:02 26112 C:\Program Files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hot Key Kbd 9910 Daemon]
--------- 2001-01-03 15:50 66048 C:\WINDOWS\system32\SK9910DM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PROMon.exe]
--a------ 2002-04-18 18:32 73728 C:\WINDOWS\system32\PROMon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\America Online 9.0e\\waol.exe"=
"C:\\Program Files\\ZyXEL\\ZyXEL G-220 v2 Wireless Adapter Utility\\ZyXEL G-220 v2.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 RioPNP;RioPNP;C:\WINDOWS\system32\drivers\RioPNP.sys [2000-06-06 10:29]
R2 ZDCNDIS5;ZDCNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\ZDCNDIS5.sys [2006-08-17 10:03]
R3 ZG760_XP;ZyXEL 802.11g XG762 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanGZXP.sys [2006-08-17 10:03]
S1 seppgm;TCP x IP2 Kernel;C:\WINDOWS\System32\seppgm.sys []
S2 seppgs;TCP x IP2 Kernel32;C:\WINDOWS\System32\seppgm.sys []
S3 {BEE686B9-4C84-4487-9D72-9F40F051E973};{BEE686B9-4C84-4487-9D72-9F40F051E973};C:\WINDOWS\System32\svchost.exe [2008-06-26 05:36]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{BEE686B9-4C84-4487-9D72-9F40F051E973}

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-07 12:40:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{BEE686B9-4C84-4487-9D72-9F40F051E973}]
"ServiceDll"="C:\DOCUME~1\OWNER~1.OLU\LOCALS~1\Temp\25E.tmp"
.
Completion time: 2008-07-07 12:44:56
ComboFix-quarantined-files.txt 2008-07-07 16:43:52
ComboFix2.txt 2008-06-29 15:44:39
ComboFix3.txt 2008-06-28 19:33:29
ComboFix4.txt 2008-06-28 17:10:41

Pre-Run: 9,850,032,128 bytes free
Post-Run: 10,020,999,168 bytes free

211 --- E O F --- 2008-06-20 06:54:47

 

[pskelley]

I am not sure why but one of the infected programs did not get cleaned.
(((((((((((((((((((((((((((((((((((((((((((( AWF )))))))))))))))))))))))))))

----a-r 71,216 2006-10-23 12:50:37 C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe


Let's try to fix this like this:

1) Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here. <<< no need to post this


2) Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\Program Files\Common Files\AOL\ACS\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply <<< no need to post this

3) Double-click FindAWF.exe to start the tool.

Select option #4 - Reset domain zones by typing 4 and press 'Enter'
You will receive a warning to reset domain zones
Press 1 then press Enter.
If you have manually included sites in the trusted zones, these will need to be re-inserted.

4) Let's check to make sure it is gone, restart the computer then:

• * Double-click FindAWF.exe to start the tool.
  * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
  * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

Can you tell me how the computer is running.

Thanks

 

[Smoke_O]

The computer seems to be running fine but there is still tons of shortcuts of fake programs and my desktop is still blue and says that I am infected with malware. There is a program called AntiVirus 2008 that has shortcuts everywhere. It used to pop up and asked to be run but it doesnt occur anymore so its probably gone. But the shortcuts and the programs are still on the computer. Im sure I can just change it but Im not sure if it is from a virus or the computer put it up. 'My Computer' doesnt have an icon. I mean there is an icon but not of a folder if that makes any sense. Well here is the report



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 07/01/2008
The current time is: 13:59:40.81


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\QUICKT~1\BAK

08/28/2006 07:16 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

06/19/2006 11:18 PM 114,688 hkcmd.exe
06/19/2006 11:19 PM 155,648 igfxtray.exe
2 File(s) 270,336 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\ANTIVI~1\BAK

10/19/2005 01:13 PM 460,336 mcvsescn.exe
08/18/2005 05:57 PM 116,272 oasclnt.exe
2 File(s) 576,608 bytes

Directory of C:\PROGRA~1\MCAFEE.COM\PERSON~1\BAK

03/07/2006 04:05 PM 992,808 MPfTray.exe
1 File(s) 992,808 bytes

Directory of C:\PROGRA~1\MUSICM~1\MUSICM~1\BAK

08/02/2002 02:41 PM 110,592 mm_tray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

06/21/2006 04:29 AM 26,112 RealPlay.exe
1 File(s) 26,112 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\ACS\BAK

10/23/2006 08:50 AM 71,216 AOLDial.exe
1 File(s) 71,216 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

11/09/2006 04:07 PM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115081~1\EE\BAK

09/25/2006 08:52 PM 50,736 AOLSoftware.exe
11/20/2006 04:42 PM 153,168 SSCRun.exe
2 File(s) 203,904 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115081~1\EE\SERVICES\SAFETY~2\VER210~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

413696 Mar 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
98304 Aug 28 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
114688 Jul 10 2003 "C:\WINNT\system32\hkcmd.exe"
114688 Jun 19 2006 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 May 14 2002 "C:\WINNT\LastGood\System32\hkcmd.exe"
114688 Jun 19 2006 "C:\CABS\Winxp\Display\82845GGL\hkcmd.exe"
114688 Jun 19 2006 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
114688 May 14 2002 "C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe"
155648 Jul 10 2003 "C:\WINNT\system32\igfxtray.exe"
155648 Jun 19 2006 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 May 14 2002 "C:\WINNT\LastGood\System32\igfxtray.exe"
155648 Jun 19 2006 "C:\CABS\Winxp\Display\82845GGL\igfxtray.exe"
155648 Jun 19 2006 "C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
155648 May 14 2002 "C:\WINNT\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe"
460336 Oct 19 2005 "C:\Program Files\mcafee.com\antivirus\bak\mcvsescn.exe"
116272 Aug 18 2005 "C:\Program Files\mcafee.com\antivirus\bak\oasclnt.exe"
992808 Mar 7 2006 "C:\Program Files\mcafee.com\personal firewall\bak\MPfTray.exe"
110592 Aug 2 2002 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe"
135168 Sep 3 2007 "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\ChanDir\MMJB\mm_tray.exe"
26112 Aug 29 2007 "C:\Program Files\Real\RealPlayer\realplay.exe"
26112 Jun 21 2006 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
71216 Oct 23 2006 "C:\Program Files\Common Files\AOL\ACS\bak\AOLDial.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
48280 Mar 10 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe"
50736 Sep 25 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\bak\AOLSoftware.exe"
153168 Nov 20 2006 "C:\Program Files\Common Files\AOL\1150817884\ee\bak\SSCRun.exe"


end of report

Find AWF report by noahdfear ©2006


bak folders found


---------- DIR.TXT

 

[pskelley]

Thanks for the feedback, right in the middle of the cleanup combofix report the AWF that had to be removed first. Let's start with a new MBAM scan and a fresh HJT log. You have MBAM on board but make sure you update it.

Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

Shortcuts on the Desktop may not have gotten removed with the programs. You may delete any shortcuts you know do not belong there.

Thanks

 

[Smoke_O]

Malwarebytes' Anti-Malware 1.20
Database version: 933
Windows 5.1.2600 Service Pack 2

1:57:28 PM 7/9/2008
mbam-log-7-9-2008 (13-57-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 136590
Time elapsed: 45 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 26
Files Infected: 56

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\GetModule (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\GetPack (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\iCheck (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\rhcafhj0er0g\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008 (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\AXPFixer\AXPFixer.exe (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\Uninstall.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Outerinfo\FF\components\FF.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\rhcafhj0er0g\rhcafhj0er0g.exe.vir (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\rhcafhj0er0g\rhcafhj0er0gSkin.dll.vir (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\rhcafhj0er0g\Uninstall.exe.vir (Rogue.Installer) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\9.tmp.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\mrxl.dll.vir (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pphcefhj0er0g.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0072795.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0072805.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0072814.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0073814.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0073851.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP519\A0073862.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP520\A0074852.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP520\A0074863.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP520\A0074935.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP521\A0074968.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP521\A0074995.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP522\A0075030.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP522\A0075031.exe (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP522\A0075034.dll (Adware.ClickSpring) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP522\A0076095.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP522\A0076111.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP523\A0076226.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP523\A0076252.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP523\A0076270.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP524\A0076320.exe (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP524\A0076321.dll (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP524\A0076322.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{20DA0542-C5BC-457A-A132-6EDD7E94FA67}\RP524\A0076326.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixer.exe.local (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\AXPFixerSkin.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\database.dat (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\license.txt (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\MFC71ENU.DLL (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcp71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Program Files\AXPFixer\msvcr71.dll (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer\How to Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer\License Agreement.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer\Register Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer\Uninstall.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\How to Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\License Agreement.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Register Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008\Uninstall.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Desktop\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Antivirus XP 2008.lnk (Rogue.AntivirusXP2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Advanced XP Fixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.OLUIGBO-9MC03P2\Application Data\Microsoft\Internet Explorer\Quick Launch\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Desktop\AXPFixer.lnk (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

 

[Smoke_O]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:31 PM, on 7/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ZyXEL\ZyXEL G-220 v2 Wireless Adapter Utility\ZyXEL G-220 v2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\AOL\1150817884\ee\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1150817884\ee\aolsoftware.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Verizon Broadband Toolbar - {4E7BD74F-2B8D-469E-8CB0-AB60BB9AAE22} - C:\PROGRA~1\VOL_TO~1\VOL_TO~1.DLL
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1150817884\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1150817884\ee\SSCRun.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0e\AOL.EXE" -b
O4 - Global Startup: ZyXEL G-220 v2 Wireless Adapter Utility.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1150817884\ee\services\safetyCore\ver210_5_2_1\aolavupd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8034 bytes

 

[pskelley]

MBAM got the rouge junk we were working on when AWF showed up in the combofix log, and your HJT log looks clean of malware. How is the computer running now. Where did you say you got your computer this badly infected?

Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

If all is well, let's remove combofix like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.