1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Awola Malware

Discussion in 'Virus & Other Malware Removal' started by bhoffart, Jan 18, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Hi, yesterday I starte getting some really annoying Awola anti-spywear popups on my PC. I used the information in some of the threads on this forum, and thought that I had it beat, but today, I'm having the same problem. Here's the HijackThis log. Any help is much appreciated. This is a really annoying issue.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:49:55 PM, on 1/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\aspimgr.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Dell\QuickSet\bak\quickset.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\bak\hkcmd.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    c:\program files\internet explorer\iexplore.exe
    C:\Documents and Settings\Benjamin\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.northwestern.edu/ewc/student/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: LexisNexis Toolbar - {86BE1CDA-4F72-4c2f-9526-8E6A22DF46ED} - mscoree.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\bak\quickset.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.turing.libra...ib/northwestern/support/plugins/ebraryRdr.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177206807750
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.139.144/activex/AxisCamControl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7C567BD8-B506-4EE0-B765-6063AA6C0247}: NameServer = 129.105.49.1 165.124.49.21
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7C567BD8-B506-4EE0-B765-6063AA6C0247}: NameServer = 129.105.49.1 165.124.49.21
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 12987 bytes
     
  2. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Seriously, does anyone have any suggestions? I've spend the last hour and a half trying the instructions in other threads on this site, following the instructions on other sites, and even buying a new antispywear program and this thing STILL won't go away.

    HELP. The pop-ups that it generates keep me from doing pretty much anything on my PC. This thing is NASTY and ANNOYING and I'd like five minutes alone in a room with whoever spends their time devising ways to come up with stuff like this.

    Anyway, here's my lates HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:20:55 PM, on 1/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Dell\QuickSet\bak\quickset.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Spyware Doctor\pctsGui.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Benjamin\Desktop\HiJackThis.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.northwestern.edu/ewc/student/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: LexisNexis Toolbar - {86BE1CDA-4F72-4c2f-9526-8E6A22DF46ED} - mscoree.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\bak\quickset.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
    O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.turing.libra...ib/northwestern/support/plugins/ebraryRdr.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177206807750
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.139.144/activex/AxisCamControl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 13397 bytes
     
  3. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Hi, bhoffart :)

    Welcome.

    The contents of your log shows a possible downloader.Agent.awf or Downloader.Agent.ayy infection. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected, if any.

    Download FindAWF.exe from here, and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 1, then press Enter
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  4. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    here is the awf.txt file


    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Fri 01/18/2008
    The current time is: 19:40:28.64


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\APOINT\BAK

    09/13/2004 03:33 PM 155,648 Apoint.exe
    1 File(s) 155,648 bytes

    Directory of C:\PROGRA~1\DIGSTR~1\BAK

    05/18/2005 02:49 PM 282,624 digstream.exe
    1 File(s) 282,624 bytes

    Directory of C:\PROGRA~1\ESPNRU~1\BAK

    05/19/2005 01:55 PM 101,888 DIGServices.exe
    1 File(s) 101,888 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    09/14/2007 09:00 AM 267,064 iTunesHelper.exe
    1 File(s) 267,064 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    06/29/2007 05:24 AM 286,720 QTTask.exe
    1 File(s) 286,720 bytes

    Directory of C:\PROGRA~1\SUPERA~1\BAK

    06/21/2007 12:06 PM 1,318,912 SUPERAntiSpyware.exe
    1 File(s) 1,318,912 bytes

    Directory of C:\PROGRA~1\SYMANT~1\BAK

    06/23/2005 06:27 PM 85,696 VPTray.exe
    1 File(s) 85,696 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 04:00 AM 15,360 ctfmon.exe
    02/15/2005 02:02 PM 126,976 hkcmd.exe
    02/15/2005 02:02 PM 155,648 igfxtray.exe
    3 File(s) 297,984 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    06/02/2005 08:21 AM 48,752 ccApp.exe
    1 File(s) 48,752 bytes

    Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

    04/26/2004 07:04 AM 53,248 DVDLauncher.exe
    1 File(s) 53,248 bytes

    Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

    03/04/2005 10:26 AM 606,208 quickset.exe
    1 File(s) 606,208 bytes

    Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

    02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\OLYMPUS\OLYMPU~1\BAK

    10/20/2005 10:21 AM 40,960 FirstStart.exe
    10/20/2005 10:21 AM 57,344 Monitor.exe
    2 File(s) 98,304 bytes

    Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

    12/06/2004 12:05 AM 127,035 tfswctrl.exe
    1 File(s) 127,035 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    09/16/2005 06:36 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

    01/07/2004 12:01 AM 110,592 sgtray.exe
    1 File(s) 110,592 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK

    09/18/2007 10:58 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

    07/12/2007 02:00 AM 132,496 jusched.exe
    1 File(s) 132,496 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    26636 Oct 11 2007 "C:\Program Files\Apoint\Apoint.exe"
    155648 Sep 13 2004 "C:\drivers\mouse\onboard\Apoint.exe"
    155648 Sep 13 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
    26636 Oct 11 2007 "C:\Program Files\DIGStream\digstream.exe"
    282624 May 18 2005 "C:\Program Files\DIGStream\bak\digstream.exe"
    26636 Oct 11 2007 "C:\Program Files\ESPNRunTime\DIGServices.exe"
    101888 May 19 2005 "C:\Program Files\ESPNRunTime\bak\DIGServices.exe"
    267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
    267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Jan 15 2008 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
    116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
    26636 Oct 11 2007 "C:\Program Files\QuickTime\QTTask.exe"
    286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
    26636 Oct 11 2007 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    5914648 Jul 17 2007 "C:\Documents and Settings\Benjamin\Desktop\SUPERAntiSpyware.exe"
    1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
    26636 Oct 11 2007 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
    85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    26636 Oct 11 2007 "C:\WINDOWS\system32\hkcmd.exe"
    126976 Feb 15 2005 "C:\drivers\video\onboard\hkcmd.exe"
    126976 Feb 15 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
    26636 Oct 11 2007 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Feb 15 2005 "C:\drivers\video\onboard\igfxtray.exe"
    155648 Feb 15 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
    26636 Oct 11 2007 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    26636 Oct 11 2007 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
    26636 Oct 11 2007 "C:\Program Files\Dell\QuickSet\quickset.exe"
    606208 Mar 4 2005 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
    26636 Oct 11 2007 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
    26636 Oct 11 2007 "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
    40960 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\bak\FirstStart.exe"
    26636 Oct 11 2007 "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe"
    57344 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\bak\Monitor.exe"
    26636 Oct 11 2007 "C:\WINDOWS\system32\dla\tfswctrl.exe"
    127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
    127035 Dec 6 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
    26636 Oct 11 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    180269 Sep 16 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    26636 Oct 11 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
    110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
    52272 Sep 18 2007 "C:\Program Files\Google\googletoolbar1user.exe"
    69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
    26694 Sep 18 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
    138168 Sep 18 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    26636 Oct 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
    171448 Sep 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    26636 Oct 11 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


    end of report
     
  5. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      "C:\Program Files\APOINT\BAK\Apoint.exe"
      "C:\Program Files\DIGStream\BAK\digstream.exe"
      "C:\Program Files\ESPNRunTime\BAK\DIGServices.exe"
      "C:\Program Files\ITUNES\BAK\iTunesHelper.exe"
      "C:\Program Files\QuickTime\BAK\QTTask.exe"
      "C:\Program Files\SUPERAntiSpyware\BAK\SUPERAntiSpyware.exe"
      "C:\Program Files\Symantec AntiVirus\BAK\VPTray.exe"
      "C:\WINDOWS\SYSTEM32\BAK\ctfmon.exe"
      "C:\WINDOWS\SYSTEM32\BAK\hkcmd.exe"
      "C:\WINDOWS\SYSTEM32\BAK\igfxtray.exe"
      "C:\Program Files\Common Files\Symantec Shared\BAK\ccApp.exe"
      "C:\Program Files\CyberLink\POWERDVD\BAK\DVDLauncher.exe"
      "C:\Program Files\DELL\QUICKSET\BAK\quickset.exe"
      "C:\Program Files\HP\HP Software Update\BAK\HPWuSchd2.exe"
      "C:\Program Files\OLYMPUS\OLYMPUS Master\BAK\FirstStart.exe"
      "C:\Program Files\OLYMPUS\OLYMPUS Master\BAK\Monitor.exe"
      "C:\WINDOWS\SYSTEM32\DLA\BAK\tfswctrl.exe"
      "C:\Program Files\Common Files\REAL\Update_OB\BAK\realsched.exe"
      "C:\Program Files\Common Files\SONIC\Update Manager\BAK\sgtray.exe"
      "C:\Program Files\GOOGLE\GoogleToolbarNotifier\1.2.1128.5462\BAK\GoogleToolbarNotifier.exe"
      "C:\Program Files\JAVA\jre1.6.0_02\BIN\BAK\jusched.exe"


    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 2, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  6. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Sat 01/19/2008
    The current time is: 1:20:01.23


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\APOINT\BAK

    09/13/2004 03:33 PM 155,648 Apoint.exe
    1 File(s) 155,648 bytes

    Directory of C:\PROGRA~1\DIGSTR~1\BAK

    05/18/2005 02:49 PM 282,624 digstream.exe
    1 File(s) 282,624 bytes

    Directory of C:\PROGRA~1\ESPNRU~1\BAK

    05/19/2005 01:55 PM 101,888 DIGServices.exe
    1 File(s) 101,888 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    09/14/2007 09:00 AM 267,064 iTunesHelper.exe
    1 File(s) 267,064 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    06/29/2007 05:24 AM 286,720 QTTask.exe
    1 File(s) 286,720 bytes

    Directory of C:\PROGRA~1\SUPERA~1\BAK

    06/21/2007 12:06 PM 1,318,912 SUPERAntiSpyware.exe
    1 File(s) 1,318,912 bytes

    Directory of C:\PROGRA~1\SYMANT~1\BAK

    06/23/2005 06:27 PM 85,696 VPTray.exe
    1 File(s) 85,696 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 04:00 AM 15,360 ctfmon.exe
    02/15/2005 02:02 PM 126,976 hkcmd.exe
    02/15/2005 02:02 PM 155,648 igfxtray.exe
    3 File(s) 297,984 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    06/02/2005 08:21 AM 48,752 ccApp.exe
    1 File(s) 48,752 bytes

    Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

    04/26/2004 07:04 AM 53,248 DVDLauncher.exe
    1 File(s) 53,248 bytes

    Directory of C:\PROGRA~1\DELL\QUICKSET\BAK

    03/04/2005 10:26 AM 606,208 quickset.exe
    1 File(s) 606,208 bytes

    Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

    02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
    1 File(s) 49,152 bytes

    Directory of C:\PROGRA~1\OLYMPUS\OLYMPU~1\BAK

    10/20/2005 10:21 AM 40,960 FirstStart.exe
    10/20/2005 10:21 AM 57,344 Monitor.exe
    2 File(s) 98,304 bytes

    Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

    12/06/2004 12:05 AM 127,035 tfswctrl.exe
    1 File(s) 127,035 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    09/16/2005 06:36 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes

    Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

    01/07/2004 12:01 AM 110,592 sgtray.exe
    1 File(s) 110,592 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~2\121128~1.546\BAK

    09/18/2007 10:58 PM 171,448 GoogleToolbarNotifier.exe
    1 File(s) 171,448 bytes

    Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK

    07/12/2007 02:00 AM 132,496 jusched.exe
    1 File(s) 132,496 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    155648 Sep 13 2004 "C:\Program Files\Apoint\Apoint.exe"
    155648 Sep 13 2004 "C:\drivers\mouse\onboard\Apoint.exe"
    155648 Sep 13 2004 "C:\Program Files\Apoint\bak\Apoint.exe"
    282624 May 18 2005 "C:\Program Files\DIGStream\digstream.exe"
    282624 May 18 2005 "C:\Program Files\DIGStream\bak\digstream.exe"
    101888 May 19 2005 "C:\Program Files\ESPNRunTime\DIGServices.exe"
    101888 May 19 2005 "C:\Program Files\ESPNRunTime\bak\DIGServices.exe"
    267064 Sep 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
    267064 Sep 14 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Jan 15 2008 "C:\WINDOWS\Installer\{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}\iTunesIco.exe"
    116024 Sep 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.4.2.4\iTunesSetupAdmin.exe"
    286720 Jun 29 2007 "C:\Program Files\QuickTime\QTTask.exe"
    286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
    1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
    5914648 Jul 17 2007 "C:\Documents and Settings\Benjamin\Desktop\SUPERAntiSpyware.exe"
    1318912 Jun 21 2007 "C:\Program Files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe"
    85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
    85696 Jun 23 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    126976 Feb 15 2005 "C:\WINDOWS\system32\hkcmd.exe"
    126976 Feb 15 2005 "C:\drivers\video\onboard\hkcmd.exe"
    126976 Feb 15 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
    155648 Feb 15 2005 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Feb 15 2005 "C:\drivers\video\onboard\igfxtray.exe"
    155648 Feb 15 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
    48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    48752 Jun 2 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    53248 Apr 26 2004 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
    606208 Mar 4 2005 "C:\Program Files\Dell\QuickSet\quickset.exe"
    606208 Mar 4 2005 "C:\Program Files\Dell\QuickSet\bak\quickset.exe"
    49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
    49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
    40960 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe"
    40960 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\bak\FirstStart.exe"
    57344 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe"
    57344 Oct 20 2005 "C:\Program Files\OLYMPUS\OLYMPUS Master\bak\Monitor.exe"
    127035 Dec 6 2004 "C:\WINDOWS\system32\dla\tfswctrl.exe"
    127035 Dec 6 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
    127035 Dec 6 2004 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
    180269 Sep 16 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    180269 Sep 16 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe"
    110592 Jan 7 2004 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
    52272 Sep 18 2007 "C:\Program Files\Google\googletoolbar1user.exe"
    69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
    26694 Sep 18 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
    138168 Sep 18 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    26636 Oct 11 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe"
    171448 Sep 18 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
    132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


    end of report
     
  7. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\Program Files\APOINT\BAK
      C:\Program Files\DIGStream\BAK
      C:\Program Files\ESPNRunTime\BAK
      C:\Program Files\ITUNES\BAK
      C:\Program Files\QuickTime\BAK
      C:\Program Files\SUPERAntiSpyware\BAK
      C:\Program Files\Symantec AntiVirus\BAK
      C:\WINDOWS\SYSTEM32\BAK
      C:\Program Files\Common Files\Symantec Shared\BAK
      C:\Program Files\CyberLink\POWERDVD\BAK
      C:\Program Files\DELL\QUICKSET\BAK
      C:\Program Files\HP\HP Software Update\BAK
      C:\Program Files\OLYMPUS\OLYMPUS Master\BAK
      C:\Program Files\OLYMPUS\OLYMPUS Master\BAK
      C:\WINDOWS\SYSTEM32\DLA\BAK
      C:\Program Files\Common Files\REAL\Update_OB\BAK
      C:\Program Files\Common Files\SONIC\Update Manager\BAK
      C:\Program Files\GOOGLE\GoogleToolbarNotifier\1.2.1128.5462\BAK
      C:\Program Files\JAVA\jre1.6.0_02\BIN\BAK


    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  8. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 3 run successfully

    The current date is: Sat 01/19/2008
    The current time is: 14:27:44.93


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report
     
  9. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Hi, bhoffart :)

    That took care of it.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 4, then press Enter.
    • You will receive a warning to reset domain zones
    • Press 1 then press Enter.
    • If you have manually included sites in the trusted zones, these will need to be re-inserted.
    [​IMG] Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Upgrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Lets take a deepr look.

    [​IMG]Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
    If the files are too long, attach them to a reply:
    1. Scroll down and click the [Manage Attachments] button
    2. Browse to the following folder:
      • C:\Deckard\System Scanner
    3. Click Upload to upload these files one by one
    4. Submit your reply
     
  10. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Deckard's System Scanner v20071014.68
    Run by Benjamin on 2008-01-21 12:39:47
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    System Restore is disabled; attempting to re-enable...success.


    -- Last 1 Restore Point(s) --
    1: 2008-01-21 18:39:54 UTC - RP1 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.

    Total Physical Memory: 504 MiB (512 MiB recommended).


    -- HijackThis (run as Benjamin.exe) --------------------------------------------

    logfile has no content; running clone.
    -- HijackThis Clone ------------------------------------------------------------


    Emulating logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2008-01-21 12:44:29
    Platform: Windows XP Service Pack 2 (5.01.2600)
    MSIE: Internet Explorer (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\system32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\WLTRYSVC.EXE
    C:\WINDOWS\system32\BCMWLTRY.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\scardsvr.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\BAsfIpM.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
    C:\Program Files\Spyware Doctor\pctsAuxs.exe
    C:\Program Files\Spyware Doctor\pctsSvc.exe
    C:\Program Files\Spyware Doctor\pctsTray.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\alg.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Symantec AntiVirus\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\Apoint\ApntEx.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and Settings\Benjamin\Desktop\dss.exe
    C:\Documents and Settings\Benjamin\Desktop\Benjamin.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.northwestern.edu/ewc/student/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
    O3 - Toolbar: LexisNexis Toolbar - {86BE1CDA-4F72-4c2f-9526-8E6A22DF46ED} - mscoree.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\bak\quickset.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
    O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
    O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BounceBack Launcher.lnk = C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM (file missing)
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.turing.libra...ib/northwestern/support/plugins/ebraryRdr.cab
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
    O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} (SentinelVE3D Class) - http://download.microsoft.com/download/0/f/b/0fb0fab9-7f09-4bb6-86d8-8e791ba99ac5/VirtualEarth3D.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177206807750
    O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.139.144/activex/AxisCamControl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{7C567BD8-B506-4EE0-B765-6063AA6C0247}: NameServer = 129.105.49.1 165.124.49.21
    O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
    O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
    O18 - Protocol: x-mem1 - {C3719F83-7EF8-4BA0-89B0-3360C7AFB7CC} - C:\WINDOWS\system32\wowctl2.dll
    O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\BAsfIpM.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
    O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\system32\WLTRYSVC.EXE


    --
    End of file - 15663 bytes

    -- HijackThis Fixed Entries (C:\DOCUME~1\Benjamin\Desktop\backups\) ------------

    backup-20070718-235718-108 O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
    backup-20070718-235718-328 O2 - BHO: LNHelper.BarHelper - {05A34600-8920-479b-92A9-68FACF7BB8FA} - mscoree.dll (file missing)
    backup-20070718-235718-503 O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
    backup-20070718-235718-566 O2 - BHO: (no name) - {03917756-5D5F-4121-BB31-AA60117942D0} - C:\WINDOWS\system32\ddabc.dll (file missing)
    backup-20070718-235718-849 O20 - Winlogon Notify: vtstr - C:\WINDOWS\system32\vtstr.dll (file missing)

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver>
    R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
    R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Inc; OMCI Driver>
    R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
    R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
    R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
    R2 portD (CMS PortIO Service) - c:\windows\system32\drivers\portd2k.sys <Not Verified; CMS Peripherals, Inc.; BounceBack>
    R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>

    S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
    S3 EraserUtilDrv1061 - c:\program files\common files\symantec shared\eengine\eraserutildrv1061.sys (file missing)
    S3 SbcpHid - c:\windows\system32\drivers\sbcphid.sys


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
    R2 BAsfIpM (Broadcom ASF IP monitoring service v6.0.4) - c:\windows\system32\basfipm.exe <Not Verified; Broadcom Corp.; Broadcom ASF IP monitoring service>
    R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Scheduled Tasks -------------------------------------------------------------

    2008-01-16 16:02:06 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


    -- Files created between 2007-12-21 and 2008-01-21 -----------------------------

    2008-01-18 19:32:12 0 d-------- C:\Documents and Settings\Benjamin\Application Data\Awola
    2008-01-18 18:25:43 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-01-18 18:25:20 0 d-------- C:\Program Files\Spyware Doctor
    2008-01-18 18:25:20 0 d-------- C:\Documents and Settings\Benjamin\Application Data\PC Tools
    2008-01-18 10:34:18 25050 --a------ C:\WINDOWS\system32\kcopt.dll
    2008-01-18 01:10:35 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-18 01:10:35 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
    2008-01-18 01:10:35 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
    2008-01-18 01:10:35 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
    2008-01-18 01:10:35 81920 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
    2008-01-18 01:10:35 51200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-18 00:54:42 489984 --a------ C:\Documents and Settings\Benjamin\installer.exe
    2008-01-17 18:00:30 14336 --a------ C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    2008-01-17 17:58:26 14336 --a------ C:\WINDOWS\system32\d234fr4rgfews34rwfds.exe
    2008-01-14 20:28:29 1036 --a------ C:\WINDOWS\system32\ksvcl.dll


    -- Find3M Report ---------------------------------------------------------------

    2008-01-21 12:36:46 0 d-------- C:\Program Files\Java
    2008-01-21 12:24:25 0 d-------- C:\Program Files\Symantec AntiVirus
    2008-01-19 14:27:43 0 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-19 14:27:43 0 d-------- C:\Program Files\QuickTime
    2008-01-19 14:27:43 0 d-------- C:\Program Files\iTunes
    2008-01-19 14:27:43 0 d-------- C:\Program Files\ESPNRunTime
    2008-01-19 14:27:43 0 d-------- C:\Program Files\DIGStream
    2008-01-19 14:27:43 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-01-19 14:27:43 0 d-------- C:\Program Files\Apoint
    2008-01-16 11:29:38 0 d-------- C:\Documents and Settings\Benjamin\Application Data\Adobe
    2008-01-08 11:39:01 0 d-------- C:\Program Files\ConsoleClassix.com
    2008-01-04 10:26:09 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
    2007-12-14 19:05:50 15 --a------ C:\WINDOWS\CDE5-52F3-A2BD-A506.dat


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [09/13/2004 03:33 PM]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [02/15/2005 02:02 PM]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [02/15/2005 02:02 PM]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\bak\quickset.exe" []
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [04/26/2004 07:04 AM]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [01/07/2004 12:01 AM]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [12/06/2004 12:05 AM]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [06/02/2005 08:21 AM]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/23/2005 06:27 PM]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/16/2005 06:36 PM]
    "DIGStream"="C:\Program Files\DIGStream\digstream.exe" [05/18/2005 02:49 PM]
    "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [05/19/2005 01:55 PM]
    "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [02/16/2005 11:11 PM]
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [10/20/2005 10:21 AM]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 05:24 AM]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/14/2007 09:00 AM]
    "lanmanwrk.exe"="C:\WINDOWS\System32\lanmanwrk.exe" []
    "KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" []
    "ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [12/10/2007 02:53 PM]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [10/20/2005 10:21 AM]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 04:00 AM]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [06/21/2007 12:06 PM]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [10/11/2007 01:59 AM]
    "SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" []
    "Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Benjamin\Application Data\kchpy.exe" [01/17/2008 05:58 PM]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 10:05:26 PM]
    BounceBack Launcher.lnk - C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe [3/8/2007 10:28:53 PM]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [7/22/2005 6:36:14 AM]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [01/07/2005 07:21 AM 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [12/20/2006 11:55 AM 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 04/19/2007 11:41 AM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"




    -- End of Deckard's System Scanner: finished at 2008-01-21 12:47:30 ------------
     
  11. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Deckard's System Scanner v20071014.68
    Extra logfile - please post this as an attachment with your post.
    --------------------------------------------------------------------------------

    -- System Information ----------------------------------------------------------

    Microsoft Windows XP Professional (build 2600) SP 2.0
    Architecture: X86; Language: English

    CPU 0: Intel(R) Pentium(R) M processor 1.86GHz
    Percentage of Memory in Use: 71%
    Physical Memory (total/avail): 503.36 MiB / 145.24 MiB
    Pagefile Memory (total/avail): 1228.5 MiB / 539.78 MiB
    Virtual Memory (total/avail): 2047.88 MiB / 1923.42 MiB

    C: is Fixed (NTFS) - 37.21 GiB total, 6.06 GiB free.

    \\.\PHYSICALDRIVE0 - FUJITSU MHV2040AH - 37.26 GiB - 2 partitions
    \PARTITION0 - Unknown - 39.19 MiB
    \PARTITION1 (bootable) - Installable File System - 37.21 GiB - C:



    -- Security Center -------------------------------------------------------------

    AUOptions is scheduled to auto-install.
    Windows Internal Firewall is enabled.

    FirstRunDisabled is set.

    AV: Symantec AntiVirus Corporate Edition v10.0.1.1000 (Symantec Corporation)

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"

    [HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
    "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
    "C:\\Program Files\\Microsoft Games\\Age of Empires II Trial\\EMPIRES2.EXE"="C:\\Program Files\\Microsoft Games\\Age of Empires II Trial\\EMPIRES2.EXE:*:Enabled:Age of Empires II"
    "C:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe"="C:\\Program Files\\HP\\Image Zone Express\\HP_IZE.exe:*:Enabled:HP Image Zone Express"
    "C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"="C:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe:*:Enabled:HP Software Update Client"
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
    "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
    "C:\\Program Files\\Tax Analysts\\OneDisc\\LPLocal.exe"="C:\\Program Files\\Tax Analysts\\OneDisc\\LPLocal.exe:*:Enabled:LivePublish Personal Edition HTTP Server"
    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:RealPlayer"
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
    "C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
    "C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
    "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


    -- Environment Variables -------------------------------------------------------

    ALLUSERSPROFILE=C:\Documents and Settings\All Users
    APPDATA=C:\Documents and Settings\Benjamin\Application Data
    CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    CLIENTNAME=Console
    CommonProgramFiles=C:\Program Files\Common Files
    COMPUTERNAME=LITTLEDELL
    ComSpec=C:\WINDOWS\system32\cmd.exe
    FP_NO_HOST_CHECK=NO
    HOMEDRIVE=C:
    HOMEPATH=\Documents and Settings\Benjamin
    LOGONSERVER=\\LITTLEDELL
    NUMBER_OF_PROCESSORS=1
    OS=Windows_NT
    Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
    PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
    PROCESSOR_ARCHITECTURE=x86
    PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 8, GenuineIntel
    PROCESSOR_LEVEL=6
    PROCESSOR_REVISION=0d08
    ProgramFiles=C:\Program Files
    PROMPT=$P$G
    QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
    SESSIONNAME=Console
    SystemDrive=C:
    SystemRoot=C:\WINDOWS
    TEMP=C:\DOCUME~1\Benjamin\LOCALS~1\Temp
    TMP=C:\DOCUME~1\Benjamin\LOCALS~1\Temp
    USERDOMAIN=LITTLEDELL
    USERNAME=Benjamin
    USERPROFILE=C:\Documents and Settings\Benjamin
    windir=C:\WINDOWS
    __COMPAT_LAYER=EnableNXShowUI


    -- User Profiles ---------------------------------------------------------------

    Benjamin (admin)
    Administrator (admin)


    -- Add/Remove Programs ---------------------------------------------------------

    --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
    --> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
    --> C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
    --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
    Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
    Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
    Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
    ALPS Touch Pad Driver --> C:\Program Files\Apoint\Uninstap.exe ADDREMOVE
    AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
    Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
    Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
    BounceBack Express --> C:\WINDOWS\BBUninstall.exe
    Broadcom Advanced Control Suite 2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{64A77F14-0E08-4A97-A859-E93CFF428756} /l1033
    Broadcom ASF Management Applications --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{25D24E84-64A9-40D2-85CF-540B1C4A6D52} /l1033
    Conexant D110 MDC V.9x Modem --> C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_8086&DEV_24x6&SUBSYS_542214F1\HXFSETUP.EXE -U -Idel5422k.inf
    Dell Wireless WLAN Card --> C:\WINDOWS\system32\BCMWLU00.exe verbose
    Digital Line Detect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E646DCF0-5A68-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
    DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
    DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
    DivX Converter --> C:\Program Files\DivX\ConverterUninstall.exe /CONVERTER
    DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
    DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
    eMusic Download Manager --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\eMusic Download Manager\Uninst.isu"
    ESPN RunTime --> C:\Program Files\ESPNRunTime\DIGSvcUninstall.exe /brand=ESPN
    Eudora --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9CED8E9D-2463-46BA-827B-F792FC1DC030}\Setup.exe" -l0x9
    FreeZip --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\freezip.inf,Uninstall
    Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
    Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
    Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
    Guinness Screensaver --> C:\WINDOWS\system32\Guinness Screensaver.scr /u
    HijackThis 2.0.2 --> "C:\Documents and Settings\Benjamin\Local Settings\Temporary Internet Files\Content.IE5\ZJDQY9ND\HijackThis.exe" /uninstall
    HP Image Zone 4.2 --> C:\Program Files\HP\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
    HP Image Zone Express --> MsiExec.exe /X{759524D5-08C9-4E88-8EB3-8D6ECB226C52}
    HP PSC & OfficeJet 4.2 --> "C:\Program Files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe" -datfile hposcr04.dat
    HP Software Update --> MsiExec.exe /X{15EE79F4-4ED1-4267-9B0F-351009325D7D}
    ieSpell --> "C:\Program Files\ieSpell\uninst.exe"
    ImageMixer VCD/DVD2 for OLYMPUS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F51A0CA-2BDD-474E-BB90-C7FA8EA78F52}\Setup.exe" -l0x9 UNINSTALL
    Intel(R) Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
    Internal Network Card Power Management --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F528948-0E80-4C96-B455-DE4167CB1DF7}\setup.exe" -l0x9 UNINSTALL APPDRVNT4
    iPod for Windows 2005-11-17 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8338BA06-E527-491B-9400-F51708FEE695} /l1033
    IrfanView (remove only) --> C:\Program Files\IrfanView\iv_uninstall.exe
    iTunes --> MsiExec.exe /I{7FF9CD9C-6E0C-4462-9670-F424DCB32DAF}
    Java(TM) 6 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
    LexisNexis Toolbar --> MsiExec.exe /I{86BE1CDA-4F72-4C2F-9526-8E6A22DF46ED}
    LiveUpdate 2.6 (Symantec Corporation) --> C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
    Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
    Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
    Modem Helper --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F142D56-3326-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanel
    Move Networks Media Player for Internet Explorer --> C:\Documents and Settings\Benjamin\Application Data\Move Networks\ie_bin\Uninst.exe
    Napster --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BBBCAE4B-B416-4182-A6F2-438180894A81}\setup.exe" -l0x9 -removeonly
    Napster Burn Engine --> MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
    NCR Label Formats for MS Word Setup --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\NCR Media Formats\Uninst.isu"
    NetWaiting --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe" -l0x9 ControlPanelAnyText
    OLYMPUS Master --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BA820A24-704B-428D-9904-71A10DAC1372} /l1033 /zUNINSTALL
    Orban/Coding Technologies AAC/aacPlus Player Plugin™ 1.0 --> "C:\Program Files\Orban\AAC-aacPlus Plugin\unins000.exe"
    Porrasturvat - Stair Dismount --> C:\Program Files\Porrasturvat - Stair Dismount\uninstall.exe
    PowerDVD 5.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
    PrimoPDF --> "C:\WINDOWS\PrimoPDF\uninstall.exe" "/U:C:\Program Files\activePDF\PrimoPDF\Uninstall\uninstall.xml"
    QuickSet --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C5074CC4-0E26-4716-A307-960272A90040}\setup.exe" -l0x9 UNINSTALL APPDRVNT4 - ALL
    QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
    RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
    Security Update for Step By Step Interactive Training (KB898458) --> "C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
    Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
    Skype™ 3.2 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
    Snood for Windows version 3.52-W --> "C:\Program Files\Snood\unins000.exe"
    Sonic DLA --> MsiExec.exe /I{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}
    Sonic RecordNow! Plus --> MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
    Sonic Update Manager --> MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
    Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
    Spyware Doctor 5.5 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
    SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
    Symantec AntiVirus --> MsiExec.exe /I{3248E093-5288-4CA9-B3AB-11A675FEA1F9}
    Tax Analysts' OneDisc --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EE427EB-4B6E-472B-90E5-C8179A80D0DC}\setup.exe" -l0x9 -uninst -removeonly
    Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
    Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
    Virtual Earth 3D (Beta) --> MsiExec.exe /I{619B8475-0F48-41B7-A370-5147F7092989}
    Weather Depot Version 1.45.00 --> "C:\Program Files\Weather Depot\unins000.exe"
    Weather Services --> C:\WINDOWS\System32\control.exe C:\WINDOWS\System32\wxfw.cpl,4
    WestCiteLink --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\West Group\CiteLink\CiteLink.isu"
    Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
    Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
    WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
    Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
    Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
    Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
    Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
    Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


    -- Application Event Log -------------------------------------------------------

    Event Record #/Type4430 / Error
    Event Submitted/Written: 01/21/2008 00:46:07 PM
    Event ID/Source: 51 / Symantec AntiVirus
    Event Description:
    Security Risk Found!Threat: SecurityRisk.Downldr in File: C:\Documents and Settings\Benjamin\Local Settings\Temp\1192641750.dat.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed : Access allowed. Action Description: Quarantine was partially successful.

    Event Record #/Type4429 / Error
    Event Submitted/Written: 01/21/2008 00:45:17 PM
    Event ID/Source: 46 / Symantec AntiVirus
    Event Description:
    Security Risk Found!Threat: SecurityRisk.Downldr in File: C:\Documents and Settings\Benjamin\Local Settings\Temp\1192641750.dat.exe by: Auto-Protect scan. Action: Clean failed : Quarantine failed. Action Description: The file was left unchanged.

    Event Record #/Type4428 / Error
    Event Submitted/Written: 01/21/2008 00:41:54 PM
    Event ID/Source: 5 / Symantec AntiVirus
    Event Description:
    Threat Found!Threat: SecurityRisk.Downldr in File: C:\Documents and Settings\Benjamin\Local Settings\Temp\1192641750.dat.exe by: Auto-Protect scan. Action: Pending Side Effects Analysis. Action Description:

    Event Record #/Type4415 / Error
    Event Submitted/Written: 01/20/2008 01:45:16 PM
    Event ID/Source: 45 / Symantec AntiVirus
    Event Description:
    Threat: C:\Program Files\Spyware Doctor\pctsSvc.exe in File: C:\Program Files\Symantec AntiVirus\Rtvscan.exe by: Tamper Protection scan. Action: Blocked. Action Description:

    Event Record #/Type4414 / Error
    Event Submitted/Written: 01/20/2008 01:45:16 PM
    Event ID/Source: 45 / Symantec AntiVirus
    Event Description:
    Threat: C:\Program Files\Spyware Doctor\pctsSvc.exe in File: C:\Program Files\Symantec AntiVirus\Rtvscan.exe by: Tamper Protection scan. Action: Blocked. Action Description:



    -- Security Event Log ----------------------------------------------------------

    No Errors/Warnings found.


    -- System Event Log ------------------------------------------------------------

    Event Record #/Type53260 / Warning
    Event Submitted/Written: 01/21/2008 00:17:44 PM / 01/21/2008 00:18:12 PM
    Event ID/Source: 4 / b57w2k
    Event Description:
    Broadcom NetXtreme 57xx Gigabit Controller: The network link is down. Check to make sure the network cable is properly connected.

    Event Record #/Type53247 / Error
    Event Submitted/Written: 01/21/2008 11:46:31 AM
    Event ID/Source: 1002 / Dhcp
    Event Description:
    The IP address lease 192.168.1.2 for the Network Card with network address 0014A508A8A0 has been
    denied by the DHCP server 129.105.49.10 (The DHCP Server sent a DHCPNACK message).

    Event Record #/Type53240 / Error
    Event Submitted/Written: 01/20/2008 01:42:45 PM
    Event ID/Source: 29 / W32Time
    Event Description:
    The time provider NtpClient is configured to acquire time from one or more
    time sources, however none of the sources are currently accessible.
    No attempt to contact a source will be made for 29 minutes.
    NtpClient has no source of accurate time.

    Event Record #/Type53239 / Error
    Event Submitted/Written: 01/20/2008 01:42:45 PM
    Event ID/Source: 17 / W32Time
    Event Description:
    Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 30
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)

    Event Record #/Type53237 / Error
    Event Submitted/Written: 01/19/2008 03:51:53 PM
    Event ID/Source: 17 / W32Time
    Event Description:
    Time Provider NtpClient: An error occurred during DNS lookup of the manually
    configured peer 'time.nist.gov,0x1'. NtpClient will try the DNS lookup again in 15
    minutes.
    The error was: A socket operation was attempted to an unreachable host. (0x80072751)



    -- End of Deckard's System Scanner: finished at 2008-01-21 12:47:30 ------------
     
  12. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    Hi, bhoffart :)

    We are not on the clear yet.

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Close any open browsers.
    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    3. Double click on combofix.exe & follow the prompts.
    4. When finished, it will produce a report for you.
    5. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  13. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    ComboFix 08-01-20.1 - Benjamin 2008-01-21 13:16:50.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.129 [GMT -6:00]
    Running from: C:\Documents and Settings\Benjamin\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Benjamin\Application Data\Awola
    C:\Documents and Settings\Benjamin\Application Data\Awola\Awola.exe
    C:\Documents and Settings\Benjamin\Start Menu\Programs\Awola
    C:\Program Files\poolsv
    C:\Program Files\poolsv\k11u72.exe
    C:\Program Files\poolsv\wr-1-0000077.exe
    C:\Program Files\svhost
    C:\Program Files\svhost\wr-1-0000077.exe
    C:\Program Files\WinBudget
    C:\Program Files\WinBudget\bin\crap.1192425434.old
    C:\Program Files\WinBudget\bin\crap.1193987662.old
    C:\Program Files\WinBudget\bin\crap.1194715173.old
    C:\Program Files\WinBudget\bin\crap.1195337779.old
    C:\Program Files\WinBudget\bin\crap.1196013907.old
    C:\Program Files\WinBudget\bin\crap.1197265680.old
    C:\Program Files\WinBudget\bin\crap.1197673342.old
    C:\Program Files\WinBudget\bin\crap.1198284031.old
    C:\Program Files\WinBudget\bin\matrix.dat
    C:\Program Files\WinBudget\bin\matrix.dll
    C:\Program Files\WinBudget\bin\matrix.dll.1194715172.old
    C:\Program Files\WinBudget\bin\matrix.dll.1195337778.old
    C:\Program Files\WinBudget\bin\matrix.dll.1196013906.old
    C:\Program Files\WinBudget\bin\matrix.dll.1197265680.old
    C:\Program Files\WinBudget\bin\matrix.dll.1197673340.old
    C:\Program Files\WinBudget\bin\matrix.dll.1198284030.old
    C:\temp\0c2
    C:\temp\0c2\tmpFF.log
    C:\temp\brr
    C:\temp\brr\tmpZTF.log
    C:\WINDOWS\g32.txt
    C:\WINDOWS\icroso~1.net
    C:\WINDOWS\icroso~1.net\?icrosoft.NET\
    C:\WINDOWS\system32\b10FdUe
    C:\WINDOWS\system32\b10FdUe\b10FdUe1099.exe
    C:\WINDOWS\system32\driver
    C:\WINDOWS\system32\drivers\fad.sys
    C:\WINDOWS\system32\ksvcl.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\Z1
    C:\WINDOWS\system32\Z1\mwspasrt83122.exe
    C:\WINDOWS\system32\Z11
    C:\WINDOWS\system32\Z3
    C:\WINDOWS\system32\Z3\w0716.exe
    C:\WINDOWS\system32\Z5
    C:\WINDOWS\system32\Z7
    C:\WINDOWS\wr.txt

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-21 to 2008-01-21 )))))))))))))))))))))))))))))))
    .

    2008-01-21 13:15 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-21 12:39 . 2008-01-21 12:39 <DIR> d-------- C:\Deckard
    2008-01-21 12:37 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
    2008-01-18 18:25 . 2008-01-21 12:39 <DIR> d-------- C:\Program Files\Spyware Doctor
    2008-01-18 18:25 . 2008-01-18 18:25 <DIR> d-------- C:\Documents and Settings\Benjamin\Application Data\PC Tools
    2008-01-18 18:25 . 2008-01-21 13:10 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-01-18 18:25 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
    2008-01-18 18:25 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
    2008-01-18 18:25 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
    2008-01-18 18:25 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
    2008-01-18 10:34 . 2008-01-18 18:23 25,050 --a------ C:\WINDOWS\system32\kcopt.dll
    2008-01-18 01:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-01-18 01:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-01-18 01:10 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-01-18 01:10 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-01-18 01:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-01-18 01:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-01-18 00:54 . 2008-01-18 00:54 489,984 --a------ C:\Documents and Settings\Benjamin\installer.exe
    2008-01-17 18:00 . 2008-01-17 17:58 14,336 --a------ C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    2008-01-17 17:58 . 2008-01-17 17:58 14,336 --a------ C:\WINDOWS\system32\d234fr4rgfews34rwfds.exe
    2008-01-15 23:23 . 2008-01-21 13:15 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-15 23:23 . 2008-01-15 23:24 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-21 19:14 --------- d-----w C:\Program Files\Symantec AntiVirus
    2008-01-21 18:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\DIGStream
    2008-01-21 18:36 --------- d-----w C:\Program Files\Java
    2008-01-19 20:27 --------- d-----w C:\Program Files\SUPERAntiSpyware
    2008-01-19 20:27 --------- d-----w C:\Program Files\QuickTime
    2008-01-19 20:27 --------- d-----w C:\Program Files\iTunes
    2008-01-19 20:27 --------- d-----w C:\Program Files\ESPNRunTime
    2008-01-19 20:27 --------- d-----w C:\Program Files\DIGStream
    2008-01-19 20:27 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-01-19 20:27 --------- d-----w C:\Program Files\Apoint
    2008-01-08 17:39 --------- d-----w C:\Program Files\ConsoleClassix.com
    2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\lsasrv.dll
    2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-10-30 23:42 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
    2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-27 23:39 230,912 ------w C:\WINDOWS\system32\wmasf.dll
    2007-10-27 23:39 230,912 ------w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-27 23:37 2,109,440 ------w C:\WINDOWS\system32\dllcache\wmvcore.dll
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2004-04-19 08:10 65,668 ------w C:\Program Files\Common Files\CABINET.DLL
    2004-04-19 08:10 303,236 ------w C:\Program Files\Common Files\setup.dll
    2004-04-19 08:10 180,356 ------w C:\Program Files\Common Files\IGdi.dll
    2004-04-19 04:35 380,928 ------w C:\Program Files\Common Files\_setup2kint.dll
    2004-04-19 04:35 368,640 ------w C:\Program Files\Common Files\_setup7int.dll
    2004-04-19 04:35 159,744 ------w C:\Program Files\Common Files\_setup2k.dll
    2004-04-19 04:35 147,456 ------w C:\Program Files\Common Files\_setup7.dll
    2007-07-18 02:13 6,365 --sh--w C:\WINDOWS\system32\cbadd.bak1
    2005-09-27 14:17 422,298 --sh--w C:\WINDOWS\system32\rtstv.bak1
    2005-11-04 17:23 226,006 --sh--w C:\WINDOWS\system32\rtstv.bak2
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2005-10-20 10:21 57344]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00 15360]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 12:06 1318912]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-10-11 01:59 26636]
    "SpyDefender Shield"="C:\Program Files\SpyDefender Pro\SpyDefender.exe" [ ]
    "Microsoft Windows Adapter 5.1.3214"="C:\Documents and Settings\Benjamin\Application Data\kchpy.exe" [2008-01-17 17:58 14336]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33 155648]
    "IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 14:02 155648]
    "HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-02-15 14:02 126976]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\bak\quickset.exe" [ ]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04 53248]
    "UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 00:01 110592]
    "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 08:21 48752]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 18:27 85696]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-16 18:36 180269]
    "DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 14:49 282624]
    "DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 13:55 101888]
    "HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
    "OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2005-10-20 10:21 40960]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24 286720]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-14 09:00 267064]
    "KernelDrv.exe"="C:\WINDOWS\System32\KernelDrv.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
    BounceBack Launcher.lnk - C:\Program Files\CMS Peripherals\BounceBack Express\BBLauncher.exe [2007-03-08 22:28:53 98304]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-07-22 06:36:14 24576]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= C:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2005-01-07 07:21 86016]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 11:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 11:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    R2 portD;CMS PortIO Service;C:\WINDOWS\system32\DRIVERS\portd2k.sys [2004-02-23 08:40]
    R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 20:26]
    S3 EraserUtilDrv1061;EraserUtilDrv1061;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv1061.sys []

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-16 22:02:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-21 13:21:15
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-21 13:22:06
    ComboFix-quarantined-files.txt 2008-01-21 19:21:43
    .
    2008-01-09 09:03:15 --- E O F ---
     
  14. bhoffart

    bhoffart Thread Starter

    Joined:
    Jan 18, 2008
    Messages:
    17
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 1:29:59 PM, on 1/21/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\wltrysvc.exe
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\system32\basfipm.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\DIGStream\digstream.exe
    C:\Program Files\ESPNRunTime\DIGServices.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\program files\internet explorer\iexplore.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Benjamin\Desktop\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.law.northwestern.edu/ewc/student/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O2 - BHO: West Group CiteLink Microsoft IE Shell - {80230FFE-53DD-11D2-AE5F-0000832F3A64} - C:\Program Files\West Group\CiteLink\clie\clie.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: LexisNexis Toolbar - {86BE1CDA-4F72-4c2f-9526-8E6A22DF46ED} - mscoree.dll (file missing)
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\bak\quickset.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
    O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [KernelDrv.exe] C:\WINDOWS\System32\KernelDrv.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
    O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Microsoft Windows Adapter 5.1.3214] C:\Documents and Settings\Benjamin\Application Data\kchpy.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BounceBack Launcher.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
    O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
    O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.turing.libra...ib/northwestern/support/plugins/ebraryRdr.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1177206807750
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://129.93.139.144/activex/AxisCamControl.cab
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{7C567BD8-B506-4EE0-B765-6063AA6C0247}: NameServer = 129.105.49.1 165.124.49.21
    O17 - HKLM\System\CS1\Services\Tcpip\..\{7C567BD8-B506-4EE0-B765-6063AA6C0247}: NameServer = 129.105.49.1 165.124.49.21
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

    --
    End of file - 13338 bytes
     
  15. JSntgRvr

    JSntgRvr Moderator Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,551
    First Name:
    José
    SpyDefender is a program of dubious reputation. Please remove this program from your computer.

    RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as CFScript.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/673340

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice