My computer has trojans

D

Doom Saber

New member
Below are the reports for HJ and kerpersky. I think my pc has Virtumonde despite that I think spyb0t removed it since my pc still lags.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:55:32 PM, on 8/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\WINDOWS\system32\Rundll32.exe
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\internet explorer\iexplore.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMf7127f90] Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [A00F12F0E36.exe] E:\DOCUME~1\User1\LOCALS~1\Temp\_A00F12F0E36.exe
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c004B568 - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8014 bytes














--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, August 20, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 20, 2008 09:25:42
Records in database: 1113234
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan statistics:
Files scanned: 371066
Threat name: 6
Infected objects: 32
Suspicious objects: 0
Duration of the scan: 14:28:36


File name / Threat name / Threats count
E:\WINDOWS\system32\__c0087BA4.dat/E:\WINDOWS\system32\__c0087BA4.dat Infected: Packed.Win32.PolyCrypt.d 14
MOM.exe\nwcditum.dll/MOM.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
rundll32.exe\nwcditum.dll/rundll32.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
AdobeUpdater.exe\nwcditum.dll/AdobeUpdater.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
WZQKPICK.EXE\nwcditum.dll/WZQKPICK.EXE\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
CCC.exe\nwcditum.dll/CCC.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
IEXPLORE.EXE\nwcditum.dll/IEXPLORE.EXE\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
ycommon.exe\nwcditum.dll/ycommon.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
wscntfy.exe\nwcditum.dll/wscntfy.exe\nwcditum.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.abnb 1
E:\WINDOWS\system32\etls.dll Infected: not-a-virus:AdWare.Win32.RK.r 1
E:\WINDOWS\system32\__c004B568.dat Infected: Packed.Win32.PolyCrypt.d 1
E:\WINDOWS\system32\__c0087BA4.dat Infected: Packed.Win32.PolyCrypt.d 1
H:\Utilities2\Burn CD\CloneCD V4.3.17\SetupCloneCD4317.exe Infected: not-a-virus:AdWare.Win32.CommonName.z 1
H:\Utilities2\Internet - Network\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
H:\Utilities2\Utilities Softs\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
I:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
I:\Utilities\Burn CD\CloneCD V4.3.17\SetupCloneCD4317.exe Infected: not-a-virus:AdWare.Win32.CommonName.z 1
I:\Utilities\Internet - Network\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1
I:\Utilities\Utilities Softs\Remote-Anything 4.11.12\Master.exe Infected: not-a-virus:RemoteAdmin.Win32.RA.4117 1

The selected area was scanned.
----------------------------------------------
http://forums.spybot.info/showthread.php?p=100879#post100879
http://forums.spybot.info/showthread.php?p=169409#post169409
http://forums.spybot.info/showthread.php?p=201399#post201399
 
Last edited by a moderator:
Doom Saber,

Your PC is infected and you posted before and never replied. We really do not have the time to analyze your log, work up a fix and to have no reply from you, you are taking us away from someone who is seriously infected and needs and wants our help. You need to reply to this thread only by using the SUBMIT REPLY and not START ANY NEW TOPICS If this topic is not replied to in 5 days this thread will be closed and no other help will be offered to you.


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.<-- Don't forget this
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and Paste the entire report in your next reply along with a New Hijackthis log.
 
Sorry for not replying before. I seriously did need you help last time and this time and I apologize if I wasted your guy's time and resources. Just that at the time of the previous topics, I couldn't post on time because of my personal matters. However, since I am out of college, I promise I can post within 5 days.

This is the first time this pc has been infected since previously, I would asked for help on my other pc, which was cleaned thanks to you guys.

Lastly, if my pcs are infected again with something serious like for instance, this pc having virtunmonde, do I make a new topic to reflect the trojan it has or continue from this thread? Thanks and I am so sorry about not replying to the previous topics.

Here is my Hijackthis! log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:55 PM, on 8/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\WINDOWS\system32\Rundll32.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\Viewpoint\Common\ViewpointService.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\PROGRA~1\Yahoo!\browser\ybrowser.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BMf7127f90] Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8152 bytes




And here is my antimalware log:

Malwarebytes' Anti-Malware 1.25
Database version: 1078
Windows 5.1.2600 Service Pack 2

8:26:24 PM 8/23/2008
mbam-log-08-23-2008 (20-26-24).txt

Scan type: Quick Scan
Objects scanned: 59395
Time elapsed: 7 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 31

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\nwcditum.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c0087BA4.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{8674aea0-9d3d-11d9-99dc-00600f9a01f1} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004b568 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c0087ba4 (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf7127f90 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\a00f12f0e36.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\nwcditum.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\ynpqjafw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
E:\Documents and Settings\User1\Local Settings\Temp\_A00F12F0E36.exe (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c0087BA4.dat (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\__c004B568.dat (Trojan.Agent) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\~.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\iifgFYsP.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\BMf7127f90.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\BMf7127f90.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\users_rating.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\protect.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\logo_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\features.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\download_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\buy_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\5_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\4_stars.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\spy_away_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.
 
Hello,

Just stay in this topic by using the Submit Reply.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O4 - HKLM\..\Run: [BMf7127f90] Rundll32.exe "E:\WINDOWS\system32\nwcditum.dll",s

O20 - Winlogon Notify: ssqRIXqN - E:\WINDOWS\
O20 - Winlogon Notify: __c0087BA4 - E:\WINDOWS\system32\__c0087BA4.dat

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - E:\Program Files\Viewpoint\Common\ViewpointService.exe





Go to your Add Remove Programs in the Control Panel and uninstall Viewpoint, it installs without your knowledge or consent, uses system resources and basically is not needed for anything.






Please download ATF Cleaner by Atribune to your desktop.
  • This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.







Download ComboFix from Here or Here to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Remember to re enable the protection again afterwards before connecting to the net


2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
  • If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
 
Hello,

I followed the steps in performing the combofix application and this is the report I have gotten. Not sure if I did anything wrong:

ComboFix 08-08-23.03 - User1 2008-08-24 16:26:26.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.206 [GMT -7:00]
Running from: E:\Documents and Settings\User1\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Here is the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39, on 2008-08-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\dllhost.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7698 bytes
 
Hello again,

I notice that the reason why l can't find the the C:\combofix.txt (or in my case, E:\combofix.txt) is that the program reboots my pc when the combofix program is scanning for trojan, resulting in no log file. Anyway to fix this? Thanks.
 
Lets run Combofix again, I am sure it found bad entries and maybe this time you can find the log


Post a new HJT log also please
 
Last edited:
Hi,

I decided to run the combofix via safe boot, which allowed the program to start w/o crashing:

ComboFix 08-08-23.03 - Administrator 2008-08-25 15:41:26.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.372 [GMT -7:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\xcrashdump.dat
E:\Documents and Settings\User1\Application Data\inst.exe
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\#SharedObjects\WSFSK2B3\interclick.com
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\#SharedObjects\WSFSK2B3\interclick.com\ud.sol
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
E:\Documents and Settings\User1\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
E:\WINDOWS\system32\fravvwlp.ini
E:\WINDOWS\system32\moqAbJlm.ini
E:\WINDOWS\system32\moqAbJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-07-25 to 2008-08-25 )))))))))))))))))))))))))))))))
.

2008-08-23 20:17 . 2008-08-23 20:17 <DIR> d-------- E:\Documents and Settings\User1\Application Data\Malwarebytes
2008-08-23 20:17 . 2008-08-17 15:05 17,144 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-08-23 20:16 . 2008-08-23 20:17 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-08-23 20:16 . 2008-08-23 20:16 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-23 20:16 . 2008-08-17 15:05 38,472 --a------ E:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-23 20:10 . 2004-03-09 00:00 1,081,616 --a------ E:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-20 19:52 . 2008-08-20 19:52 <DIR> d-------- E:\nup
2008-08-17 21:35 . 2008-08-17 21:37 <DIR> d-------- E:\Program Files\Spybot2 - Search & Destroy
2008-08-13 10:51 . 2008-08-13 10:51 <DIR> d-------- E:\Program Files\Microsoft Silverlight
2008-08-07 14:00 . 2008-08-07 14:00 <DIR> d-------- E:\Program Files\American McGee's Grimm
2008-07-25 19:08 . 2008-07-25 19:09 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\WinZip
2008-07-25 18:37 . 2008-07-25 19:03 87 --a------ E:\WINDOWS\MC32.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-25 20:17 --------- d---a-w E:\Documents and Settings\All Users\Application Data\TEMP
2008-08-24 23:08 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2008-08-21 01:22 --------- d-----w E:\Program Files\EsetOnlineScanner
2008-08-19 17:01 --------- d-----w E:\Documents and Settings\User1\Application Data\uTorrent
2008-08-19 03:02 --------- d-----w E:\Program Files\Java
2008-08-18 15:46 --------- d-----w E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-17 14:47 --------- d-----w E:\Documents and Settings\User1\Application Data\Yahoo!
2008-08-07 21:30 --------- d--h--w E:\Program Files\InstallShield Installation Information
2008-07-24 03:06 308,134 ----a-w E:\WINDOWS\java\Packages\NDJVNN3B.ZIP
2008-07-22 19:01 --------- d-----w E:\Documents and Settings\User1\Application Data\vlc
2008-07-09 12:05 43,872 ------w E:\WINDOWS\system32\drivers\pxhelp20.sys
2008-07-09 12:05 129,520 ------w E:\WINDOWS\system32\pxafs.dll
2008-07-09 12:05 120,568 ------w E:\WINDOWS\system32\pxcpyi64.exe
2008-07-09 12:05 118,256 ------w E:\WINDOWS\system32\pxinsi64.exe
2008-07-04 06:33 3,230,720 ----a-w E:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 04:05 593,920 ------w E:\WINDOWS\system32\ati2sgag.exe
2008-07-04 03:48 9,490,432 ----a-w E:\WINDOWS\system32\atioglx2.dll
2008-07-04 03:25 421,888 ----a-w E:\WINDOWS\system32\ATIDEMGX.dll
2008-07-04 03:23 309,248 ----a-w E:\WINDOWS\system32\ati2dvag.dll
2008-07-04 03:14 26,112 ----a-w E:\WINDOWS\system32\Ati2mdxx.exe
2008-07-04 03:14 184,320 ----a-w E:\WINDOWS\system32\atipdlxx.dll
2008-07-04 03:14 143,360 ----a-w E:\WINDOWS\system32\Oemdspif.dll
2008-07-04 03:13 43,520 ----a-w E:\WINDOWS\system32\ati2edxx.dll
2008-07-04 03:13 139,264 ----a-w E:\WINDOWS\system32\ati2evxx.dll
2008-07-04 03:12 561,152 ----a-w E:\WINDOWS\system32\ati2evxx.exe
2008-07-04 03:10 53,248 ----a-w E:\WINDOWS\system32\ATIDDC.DLL
2008-07-04 03:06 253,952 ----a-w E:\WINDOWS\system32\atiok3x2.dll
2008-07-04 03:00 3,786,144 ----a-w E:\WINDOWS\system32\ati3duag.dll
2008-07-04 02:55 307,200 ----a-w E:\WINDOWS\system32\atiiiexx.dll
2008-07-04 02:49 2,140,672 ----a-w E:\WINDOWS\system32\ativvaxx.dll
2008-07-04 02:34 48,640 ----a-w E:\WINDOWS\system32\amdpcom32.dll
2008-07-04 02:30 348,160 ----a-w E:\WINDOWS\system32\atikvmag.dll
2008-07-04 02:29 32,768 ----a-w E:\WINDOWS\system32\atiadlxx.dll
2008-07-04 02:28 53,248 ----a-w E:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-04 02:28 17,408 ----a-w E:\WINDOWS\system32\atitvo32.dll
2008-07-04 02:25 5,439,488 ----a-w E:\WINDOWS\system32\atioglxx.dll
2008-07-04 02:22 565,248 ----a-w E:\WINDOWS\system32\ati2cqag.dll
2008-07-03 06:52 --------- d-----w E:\Program Files\iTunes
2008-07-02 05:59 --------- d-----w E:\Program Files\Yahoo! Games
2008-06-30 18:56 --------- d-----w E:\Documents and Settings\User1\Application Data\PC Tools
2008-06-26 05:51 --------- d-----w E:\Program Files\Sun
2008-06-26 05:11 --------- d-----w E:\Program Files\CA Yahoo! Anti-Spy
2008-06-26 05:04 --------- d-----w E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-26 04:55 --------- d-----w E:\Program Files\Yahoo!
2008-06-26 04:55 --------- d-----w E:\Program Files\Common Files\Scanner
2008-06-26 04:55 --------- d-----w E:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-21 08:45 12,632 ----a-w E:\WINDOWS\system32\lsdelete.exe
2008-06-20 17:41 245,248 ----a-w E:\WINDOWS\system32\mswsock.dll
2007-09-19 21:54 47,360 ----a-w E:\Documents and Settings\User1\Application Data\pcouffin.sys
2005-02-28 03:07 271 --sha-w E:\Program Files\desktop.ini
2005-02-28 03:07 23,357 ----a-w E:\Program Files\folder.htt
.

------- Sigcheck -------

2007-05-31 11:40 502272 6e8ca4fcb30282f216f5db9dd58a5f81 E:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 67,752 2006-12-22 14:29:56 E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe

----a-w 39,792 2007-10-11 03:51:56 E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2007-10-11 02:51:56 E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-r 2,321,600 2007-03-01 17:37:52 E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe
----a-r 2,321,600 2007-03-01 17:37:52 E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe

----a-w 153,136 2007-03-01 22:57:24 E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe

----a-w 36,975 2005-04-13 10:48:52 E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe

----a-w 2,037,352 2007-03-29 03:41:26 E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe

----a-w 98,304 2003-07-14 19:30:26 E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe

----a-w 185,456 2007-06-01 02:05:00 E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe

----a-w 230,512 2007-06-01 02:05:00 E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe

----a-w 129,536 2006-07-21 23:19:46 E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe

----a-w 4,670,968 2007-03-02 01:11:26 E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 407,032 2006-07-21 17:43:10 E:\Program Files\Yahoo!\YOP\bak\yop.exe

----a-w 1,103,480 2007-03-05 21:57:48 H:\Program Files\Download Manager\bak\DLM.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-06-02 13:56 160496 --a------ E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"NeroHomeFirstStart"="E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe" [2007-05-16 09:27 16944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="E:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2008-02-04 15:18 267048]
"StartCCC"="E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"PWRISOVM.EXE"="E:\Program Files\PowerISO\PWRISOVM.EXE" [2008-03-14 16:50 233472]
"e-Trends Software Installation Helper"="E:\WINDOWS\system32\ehelper.exe" [2008-03-24 23:18 217110]
"WinampAgent"="E:\Program Files\Winamp\winampa.exe" [N/A]
"YSearchProtection"="E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 09:41 223984]
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"Cmaudio"="cmicnfg.cpl" [N/A]
"NWEReboot"="" [N/A]

E:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - H:\Program Files\WinZip\WZQKPICK.EXE [2008-04-28 11:20:00 415072]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= E:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= E:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"E:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"E:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"E:\\Program Files\\uTorrent\\uTorrent.exe"=
"E:\\Program Files\\Adobe\\Photoshop Elements 5.0\\AdobePhotoshopElementsMediaServer.exe"=
"E:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"G:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"E:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"E:\\Program Files\\AIM6\\aim6.exe"=


*Newly Created Service* - PXHELP20
.
Contents of the 'Scheduled Tasks' folder

2008-08-19 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.

O16 -: Microsoft XML Parser for Java - file://E:\WINDOWS\Java\classes\xmldso.cab
E:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Word Racer - hxxp://origin.games.yahoo.net/games/clients/y/wt1_x.cab
E:\WINDOWS\Downloaded Program Files\Yahoo! Word Racer.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 15:46:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-25 15:51:14
ComboFix-quarantined-files.txt 2008-08-25 22:51:10

Pre-Run: 555,528,192 bytes free
Post-Run: 887,107,584 bytes free

177 --- E O F --- 2008-07-09 10:01:03
















hijackthis! report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:56, on 2008-08-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
I:\aawservice.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\RunDll32.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\Program Files\PowerISO\PWRISOVM.EXE
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
E:\WINDOWS\system32\ehelper.exe
E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\Registry Mechanic\RegMech.exe
H:\Program Files\WinZip\WZQKPICK.EXE
E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Bonjour\mDNSResponder.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\internet explorer\iexplore.exe
E:\WINDOWS\system32\wuauclt.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
E:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
F2 - REG:system.ini: UserInit=E:\WINDOWS\SYSTEM32\userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot2 - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [StartCCC] "E:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] E:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [e-Trends Software Installation Helper] E:\WINDOWS\system32\ehelper.exe
O4 - HKLM\..\Run: [WinampAgent] "E:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [YSearchProtection] "E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [YSearchProtection] E:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [AdobeUpdater] E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [RegistryMechanic] E:\Program Files\Registry Mechanic\RegMech.exe /H
O4 - HKUS\S-1-5-21-220523388-1644491937-725345543-500\..\RunOnce: [NeroHomeFirstStart] E:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'Administrator')
O4 - Global Startup: WinZip Quick Pick.lnk = H:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Word Racer - http://origin.games.yahoo.net/games/clients/y/wt1_x.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=23100
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - I:\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - E:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - E:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PsExec (PSEXESVC) - Unknown owner - E:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - h:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - h:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe

--
End of file - 7734 bytes
 
You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and their backups and then restore them.
Click to expand...

Please download FindAWF and save it to your desktop

  • * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**
 
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-08-25
The current time is: 19:38:55.45


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK

2006-12-22 07:29 67,752 apdproxy.exe
1 File(s) 67,752 bytes

Directory of E:\PROGRA~1\NORTON~1\AGENT\BAK

2007-03-28 20:41 2,037,352 VProTray.exe
1 File(s) 2,037,352 bytes

Directory of E:\PROGRA~1\YAHOO!\ANTIVI~1\BAK

2007-05-31 19:05 185,456 CAVRID.exe
2007-05-31 19:05 230,512 CAVTray.exe
2 File(s) 415,968 bytes

Directory of E:\PROGRA~1\YAHOO!\BROWSER\BAK

2006-07-21 16:19 129,536 ybrwicon.exe
1 File(s) 129,536 bytes

Directory of E:\PROGRA~1\YAHOO!\MESSEN~1\BAK

2007-03-01 18:11 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of E:\PROGRA~1\YAHOO!\YOP\BAK

2006-07-21 10:43 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of E:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

2007-10-10 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of E:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

2007-03-01 15:57 153,136 NeroCheck.exe
1 File(s) 153,136 bytes

Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of E:\PROGRA~1\SBCYAH~1\CONNEC~1\IPINSI~1\BAK

2003-07-14 12:30 98,304 IPMon32.exe
1 File(s) 98,304 bytes

Directory of H:\PROGRA~1\DOWNLO~1\BAK

2007-03-05 14:57 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\bak\yop.exe"
29696 Sep 23 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
153136 Mar 1 2007 "E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
155648 Jul 9 2001 "I:\Backups\IBM\WINDOWS\system32\NeroCheck.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Mar 25 2008 "E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\bak\DLM.exe"
1103480 Mar 5 2007 "I:\Program Files\IGN\Download Manager\DLM.exe"


end of report
 
Double-click FindAWF.exe to start the tool.

  • * Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
    * A text file will open up. Please copy/paste the following bolded text into the text file:

"E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
"E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
"E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
"E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
"E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
"E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
"E:\Program Files\Yahoo!\YOP\bak\yop.exe"
"E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
"E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
"H:\Program Files\Download Manager\bak\DLM.exe"

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
 
Hello again,

here is the awf report:



Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-08-26
The current time is: 14:30:21.87


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\ADOBE\PHOTOS~1.0\BAK

2006-12-22 07:29 67,752 apdproxy.exe
1 File(s) 67,752 bytes

Directory of E:\PROGRA~1\NORTON~1\AGENT\BAK

2007-03-28 20:41 2,037,352 VProTray.exe
1 File(s) 2,037,352 bytes

Directory of E:\PROGRA~1\YAHOO!\ANTIVI~1\BAK

2007-05-31 19:05 185,456 CAVRID.exe
2007-05-31 19:05 230,512 CAVTray.exe
2 File(s) 415,968 bytes

Directory of E:\PROGRA~1\YAHOO!\BROWSER\BAK

2006-07-21 16:19 129,536 ybrwicon.exe
1 File(s) 129,536 bytes

Directory of E:\PROGRA~1\YAHOO!\MESSEN~1\BAK

2007-03-01 18:11 4,670,968 YAHOOM~1.EXE
1 File(s) 4,670,968 bytes

Directory of E:\PROGRA~1\YAHOO!\YOP\BAK

2006-07-21 10:43 407,032 yop.exe
1 File(s) 407,032 bytes

Directory of E:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

2007-10-10 20:51 39,792 Reader_sl.exe
1 File(s) 39,792 bytes

Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of E:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

2007-03-01 15:57 153,136 NeroCheck.exe
1 File(s) 153,136 bytes

Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of E:\PROGRA~1\SBCYAH~1\CONNEC~1\IPINSI~1\BAK

2003-07-14 12:30 98,304 IPMon32.exe
1 File(s) 98,304 bytes

Directory of H:\PROGRA~1\DOWNLO~1\BAK

2007-03-05 14:57 1,103,480 DLM.exe
1 File(s) 1,103,480 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
67752 Dec 22 2006 "E:\Program Files\Adobe\Photoshop Elements 5.0\bak\apdproxy.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
2037352 Mar 28 2007 "E:\Program Files\Norton Ghost\Agent\bak\VProTray.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
185456 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVRID.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
230512 May 31 2007 "E:\Program Files\Yahoo!\Antivirus\bak\CAVTray.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\ybrwicon.exe"
129536 Jul 21 2006 "E:\Program Files\Yahoo!\browser\bak\ybrwicon.exe"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"
4670968 Mar 1 2007 "E:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\yop.exe"
407032 Jul 21 2006 "E:\Program Files\Yahoo!\YOP\bak\yop.exe"
29696 Sep 23 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
39792 Oct 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
153136 Mar 1 2007 "E:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
155648 Jul 9 2001 "I:\Backups\IBM\WINDOWS\system32\NeroCheck.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
144784 Mar 25 2008 "E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
98304 Jul 14 2003 "C:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\ipmon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\IPMon32.exe"
98304 Jul 14 2003 "E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak\IPMon32.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\DLM.exe"
1103480 Mar 5 2007 "H:\Program Files\Download Manager\bak\DLM.exe"
1103480 Mar 5 2007 "I:\Program Files\IGN\Download Manager\DLM.exe"


end of report
 
Hi,

Before we go any further, go to your Add Remove Programs in the Control Panel and uninstall the following programs. These are all Java related , they should have a little coffee cup icon next to them.

jre1.5.0_03
jre1.6.0_01
jre1.6.0_06

Keep this one, do not uninstall it
jre1.6.0_07



Double-click FindAWF.exe to start the tool.

  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:

E:\Program Files\Adobe\Photoshop Elements 5.0\bak
E:\Program Files\Norton Ghost\Agent\bak
E:\Program Files\Yahoo!\Antivirus\bak
E:\Program Files\Yahoo!\browser\bak
E:\Program Files\Yahoo!\Messenger\bak
E:\Program Files\Yahoo!\YOP\bak
E:\Program Files\Adobe\Reader 8.0\Reader\bak
E:\Program Files\Common Files\Adobe\Updater5\bak
E:\Program Files\Common Files\Ahead\Lib\bak
E:\Program Files\SBC Yahoo!\Connection Manager\IP Insight\bak
H:\Program Files\Download Manager\bak

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
 
Hi,

I am wondering if there is another way to delete programs other than add/remove? I am having problems findin jre1.5.0_03 when l follow your steps in goin to control panal and using add/remove programs to get rid of it since it is not there; I was able to remove the other ones, though. Thank you.
 
Morning,

Here is the log for AWF:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: 2008-08-27
The current time is: 12:50:43.60


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"


end of report
 
Hello,


I will explain in a bit what we're doing.


Open Hijackthis
  • Go to Misc Tools> Open Uninstall Manager.
  • Click on Save List.
  • The list will open in Notepad.
  • Copy and Paste the List into this thread



  • * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**
 
Hello,

here are the hijackthis and awf



2Wire Wireless Client
7-Zip 4.57
Action Replay Code Manager
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 5.0.2 Patcher
Adobe Photoshop Lightroom 2
Adobe Reader 8.1.1
AIM 6
American McGee's Grimm: A Boy Learns What Fear Is
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Applications
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Bonjour
CA Yahoo! Anti-Spy (remove only)
CCleaner (remove only)
C-Media 3D Audio
DLDIrc
DVD Shrink 3.2
DVDFab Platinum 3.1.8.0
ESET Online Scanner
e-Trends Software Installation Helper
Free Games Offer, Desktop Shortcut
GameTap
Guild Wars
Hellgate: London
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Image Editor
IsoBuster 2.4
iTunes
Java(TM) 6 Update 7
LEGO Digital Designer
LiveUpdate 3.2 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
MP3 Workshop XP 2.00
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Nero 7 Ultra Edition
neroxml
Norton Ghost
NVIDIA nForce Drivers
OpenOffice.org Installer 1.0
PlayNC Launcher
PowerISO
Print Server Driver
QuickTime
Registry Mechanic 8.0
Samsung PC Studio Samples 1.0
Samsung PC Studio 1.0 PIM & File Manager
SBC Yahoo! DSL Home Networking Installer
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Spybot - Search & Destroy 1.4
Spyware Doctor 5.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6i
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
WinZip 11.2
World of Warcraft
Yahoo! Search Protection
YAMAHA Wave Sound Decorator



Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-08-27
The current time is: 18:38:37.59


bak folders found
~~~~~~~~~~~


Directory of E:\PROGRA~1\COMMON~1\ADOBE\UPDATER5\BAK

2007-03-01 10:37 2,321,600 AdobeUpdater.exe
1 File(s) 2,321,600 bytes

Directory of E:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

2005-04-13 03:48 36,975 jusched.exe
1 File(s) 36,975 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
140920 May 10 2007 "E:\Program Files\Adobe\Reader 8.0\Reader\AdobeUpdateCheck.exe"
970752 Sep 14 2006 "E:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
45760 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\AdobeUpdaterInstallMgr.exe"
2321600 Mar 1 2007 "E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
303616 May 15 2003 "H:\Utilities1\Update\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\IBM\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
303616 May 14 2003 "I:\Backups\Dell\Dell86\Program Files\Adobe\Acrobat 6.0\Reader\AdobeUpdateManager.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
144784 Jun 10 2008 "E:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
36975 Apr 13 2005 "E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
32881 Nov 19 2003 "I:\Backups\Dell\Dell86\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"


end of report
 
Hello,

All I see on your Add Remove for Java is the latest version so lets not worry about that now.

This is what has happened, you got infected with the latest version of Vundo which included a file infector, this trojan basically replaced its own infected copy of a file into the programs that we are working on so that when you run that program the infected file does its nasty work. With FindAWF we are attempting to replace the infected file with the legit back up and then delete the backup. Out of all those programs, only two remain that did not take so we need to run the tool again and attempt to remove the remaining infected file.


Double-click FindAWF.exe to start the tool.

  • * Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
    * A text file will open up. Please copy/paste the following bolded text into the text file:

"E:\Program Files\Common Files\Adobe\Updater5\bak\AdobeUpdater.exe"
"E:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
 
You must log in or register to reply here.
Back
Top