1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Trojan/Malware Detected but Unsuccessfully Deleted

Discussion in 'Virus & Other Malware Removal' started by colossusofrhodes, Apr 13, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Hello,

    I was recently infected with a trojan, virus, and/or malware that propagated into more trojans, viruses and/or malware on my WinXP SP2 computer. :( I had my background turned into a fake anti-spyware ad, which I eventually managed to remove. Also, I had a little yellow triangle with an exclamation point in it that kept popping up with balloons that told me my computer was being attacked, my machine was at risk, my information could be compromised, etc; I managed to take care of that problem too. In addition, command prompt and task manager had been locked, but I also fixed that problem.

    Now, I ran several different security programs, most notably Spyware Doctor, on my machine, which detected a considerable number of problems. I let all of these delete/fix what they could, but neither were able to permanently delete anything. However, I went through and manually hunted for all of the things they found, and I was able to permanently rid myself of some of the detected files, programs, etc.

    Here is my logfile from HijackThis:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:39:52 PM, on 4/13/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe
    C:\Program Files\QdrModule\QdrModule15.exe
    C:\WINDOWS\?ppPatch\w?wexec.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\winself.exe
    C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe
    C:\Program Files\Spyware Doctor\swdoctor.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
    O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Uaeu] "C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe" -vt yazb
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [Peopouk] C:\WINDOWS\?ppPatch\w?wexec.exe
    O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.doginhispen.com
    O15 - Trusted Zone: *.whataboutadog.com
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 6428 bytes

    If there's any more information I can provide that could help in the solving of my problems, let me know.

    Thank you for your time,
    Colossus of Rhodes
     
  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Hi, Welcome to TSG!!

    Please visit this webpage for instructions on installing recovery console and downloading/running ComboFix.

    Post the log from ComboFix along with a new HijackThis log.


    I don't see any anti-virus software running.
    Load AVG it's free.
     
  3. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Thank you for your reply :]

    Ok, so, I successfully installed AVG as per your advice. I also successfully downloaded ComboFix and a Windows Recovery Console. However, when I tried to install the Windows Recovery Console, Command Prompt popped up with a message that read "Access is denied." So I don't know what to do about that.

    Also, for the record, the computer with the trojan/malware is not connected to the internet. I am writing to you from my laptop and downloading all of these files/applications onto my laptop and transferring them via my jump drive. The reason for this is because I wanted to disconnect the infected computer from my home network, as to not infect the other computers. Also, by disconnecting it from the network, it eliminated internet access, which I deemed good because the trojan/malware were attempting to access the internet for a (most likely bad) purpose that is unkown to me.

    Colossus of Rhodes
     
  4. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    OK, helps to know that.

    You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected, and the backups. We will then restore these files.

    Download FindAWF.exe from here or here, and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 1, then press Enter
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  5. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Wed 04/16/2008
    The current time is: 18:38:55.84


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\BITTOR~1\BAK

    01/04/2007 09:18 PM 43,008 bittorrent.exe
    1 File(s) 43,008 bytes

    Directory of C:\PROGRA~1\MICROS~2\BAK

    06/03/2004 02:51 AM 172,032 type32.exe
    1 File(s) 172,032 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    10/25/2006 07:58 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\INF\BAK

    08/04/2004 03:56 AM 208,896 unregmp2.exe
    1 File(s) 208,896 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 03:56 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

    05/12/2005 10:05 PM 344,064 atiptaxx.exe
    1 File(s) 344,064 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    08/27/2004 07:22 PM 58,488 ccApp.exe
    1 File(s) 58,488 bytes

    Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

    01/12/2006 05:40 PM 155,648 NeroCheck.exe
    06/01/2006 02:32 PM 94,208 NMBgMonitor.exe
    2 File(s) 249,856 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    43008 Jan 4 2007 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
    28172 Oct 7 2007 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro 5.2\IType\SETUP\Files\type32.exe"
    286720 Nov 15 2007 "C:\Program Files\QuickTime\QTTask.exe"
    282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    208896 Aug 4 2004 "C:\WINDOWS\inf\unregmp2.exe"
    208896 Aug 4 2004 "C:\WINDOWS\inf\bak\unregmp2.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    28172 Oct 7 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
    58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    28172 Oct 7 2007 "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
    28172 Oct 7 2007 "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    94208 Jun 1 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"


    end of report

    Thanks for the continuing help,
    Colossus of Rhodes
     
  6. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
      "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
      "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
      "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"


    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 2, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.

    Next:

    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

      C:\Program Files\Common Files\Symantec Shared\bak
      C:\Program Files\BitTorrent\bak
      C:\WINDOWS\inf\bak
      C:\WINDOWS\system32\bak
      C:\Program Files\QuickTime\bak

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.

    Next:

    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 4, then press Enter.
    • You will receive a warning to reset domain zones
    • Press 1 then press Enter.
    • If you have manually included sites in the trusted zones, these will need to be re-inserted.
     
  7. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Ok, I followed those instructions and everything seemed to go smoothly.

    My first AWF.txt (option 2) from this round...

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Wed 04/16/2008
    The current time is: 20:03:08.90


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\BITTOR~1\BAK

    01/04/2007 09:18 PM 43,008 bittorrent.exe
    1 File(s) 43,008 bytes

    Directory of C:\PROGRA~1\MICROS~2\BAK

    06/03/2004 02:51 AM 172,032 type32.exe
    1 File(s) 172,032 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    10/25/2006 07:58 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\INF\BAK

    08/04/2004 03:56 AM 208,896 unregmp2.exe
    1 File(s) 208,896 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/04/2004 03:56 AM 15,360 ctfmon.exe
    1 File(s) 15,360 bytes

    Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

    05/12/2005 10:05 PM 344,064 atiptaxx.exe
    1 File(s) 344,064 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    08/27/2004 07:22 PM 58,488 ccApp.exe
    1 File(s) 58,488 bytes

    Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

    01/12/2006 05:40 PM 155,648 NeroCheck.exe
    06/01/2006 02:32 PM 94,208 NMBgMonitor.exe
    2 File(s) 249,856 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    43008 Jan 4 2007 "C:\Program Files\BitTorrent\bak\bittorrent.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro 5.2\IType\SETUP\Files\type32.exe"
    286720 Nov 15 2007 "C:\Program Files\QuickTime\QTTask.exe"
    282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    208896 Aug 4 2004 "C:\WINDOWS\inf\unregmp2.exe"
    208896 Aug 4 2004 "C:\WINDOWS\inf\bak\unregmp2.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
    15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
    58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
    94208 Jun 1 2006 "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    94208 Jun 1 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"


    end of report

    My second AWF.txt (option 3) from this round...

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 3 run successfully

    The current date is: Wed 04/16/2008
    The current time is: 20:23:45.92


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\MICROS~2\BAK

    06/03/2004 02:51 AM 172,032 type32.exe
    1 File(s) 172,032 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

    05/12/2005 10:05 PM 344,064 atiptaxx.exe
    1 File(s) 344,064 bytes

    Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK

    01/12/2006 05:40 PM 155,648 NeroCheck.exe
    06/01/2006 02:32 PM 94,208 NMBgMonitor.exe
    2 File(s) 249,856 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
    172032 Jun 3 2004 "C:\Program Files\Microsoft IntelliType Pro 5.2\IType\SETUP\Files\type32.exe"
    344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
    344064 May 12 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
    155648 Jan 12 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NeroCheck.exe"
    94208 Jun 1 2006 "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    94208 Jun 1 2006 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"


    end of report

    Colossus of Rhodes
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


      C:\Program Files\Microsoft IntelliType Pro\bak
      C:\Program Files\ATI Technologies\ATI Control Panel\bak
      C:\Program Files\Common Files\Ahead\Lib\bak


    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • You will be presented with a Menu.
      1. Press 1 then Enter to scan for bak folders
      2. Press 2 then Enter to restore files from bak folders
      3. Press 3 then Enter to remove bak folders
      4. Press 4 then Enter to reset domain zones
      5. Press E then Enter to EXIT​
    • Press 3, then press Enter.
    • Press any key to continue.
    • A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    • Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    • The program will proceed to remove the bad folders and will perform another scan for .bak folder
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
     
  9. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    The next AWF Report (4th total, 3rd option completed, again)

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 3 run successfully

    The current date is: Thu 04/17/2008
    The current time is: 16:28:28.90


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report

    Colossus of Rhodes
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please post a new Hijackthis log now.
     
  11. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:41:40 PM, on 4/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\winself.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe
    C:\WINDOWS\?ppPatch\w?wexec.exe
    C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Uaeu] "C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe" -vt yazb
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [Peopouk] C:\WINDOWS\?ppPatch\w?wexec.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-1417001333-813497703-839522115-500\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Administrator')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader.cab
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 7165 bytes

    Colossus of Rhodes
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Can you run ComboFix now?

    If not download Malwarebytes Anti-Malware from Here or Here
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick Scan, then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy the entire report and paste it in your next reply.
    Extra Note:

    If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
     
  13. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    I still cannot get ComboFix to run.

    Here is my MBAM log:

    Malwarebytes' Anti-Malware 1.11
    Database version: 599

    Scan type: Quick Scan
    Objects scanned: 32877
    Time elapsed: 11 minute(s), 27 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 13
    Registry Values Infected: 2
    Registry Data Items Infected: 2
    Folders Infected: 5
    Files Infected: 70

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\system32\xxyWQKdb.dll (Trojan.Vundo) -> Unloaded module successfully.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7d88dcf2-00ce-4c72-97a0-1c764b087e7b} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{7d88dcf2-00ce-4c72-97a0-1c764b087e7b} (Trojan.Vundo) -> Delete on reboot.
    HKEY_CLASSES_ROOT\toolbar.tb (Adware.AdMedia) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\toolbar.tb.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\AppID\{b0e43034-50f5-1f84-8098-824b44f2dbc3} (Adware.AdMedia) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2012f73e-7427-4ad8-9e9d-6cba6e0053d4} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\QdrDrive (Adware.ISM) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB (Adware.AdMedia) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\toolbar.TB.1 (Adware.AdMedia) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\SWD123 (Rogue.SpyDefender) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywqkdb -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\xxywqkdb -> Delete on reboot.

    Folders Infected:
    C:\Program Files\SpyDefender Pro (Rogue.SpyDefender) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget (Adware.AdMedia) -> Delete on reboot.
    C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\Rabio\Search Enhancer (Adware.SearchEnhancer) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\Rabio (Adware.Rabio) -> Quarantined and deleted successfully.

    Files Infected:
    C:\WINDOWS\system32\xxyWQKdb.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINDOWS\system32\bdKQWyxx.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bdKQWyxx.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Program Files\SpyDefender Pro\SpyDefender.ini (Rogue.SpyDefender) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1191730520.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1191998119.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1192672539.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1193363950.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1193970851.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1194731010.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1195346434.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1196023719.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1197916822.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1199136343.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1199745423.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1200352483.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1200987580.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1201320720.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\crap.1201981062.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dat (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll (Adware.AdMedia) -> Delete on reboot.
    C:\Program Files\WinBudget\bin\matrix.dll.1191998117.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1192672537.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1193363949.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1193970850.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1194731009.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1195346433.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1196023718.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1197916820.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1199136341.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1199745422.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1200352482.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1200987578.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1201320719.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1201981061.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1202010766.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\matrix.dll.1202250236.old (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\Program Files\WinBudget\bin\tempzor (Adware.AdMedia) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\000080.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\000090.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\avifile32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\avisynthex32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\aviwrap32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\bjam.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\bokja.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\browserad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\cdsm32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\changeurl_30.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\didduid.ini (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\msa64chk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\msapasrc.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\mspphe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\123messenger.per (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ntnut.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\saiemod.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\shdocpe.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\shdocpl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\swin32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\voiceip.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\winsb.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\asferror32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\asycfilt32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\athprxy32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ati2dvaa32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\ati2dvag32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\audiosrv32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\autodisc32.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
    C:\WINDOWS\licencia.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\telefonos.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\textos.txt (Malware.Trace) -> Quarantined and deleted successfully.

    Colossus of Rhodes
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Please download ATF Cleaner by Atribune.
    This program is for XP and Windows 2000 only
    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.



    Download (save and select your desktop to save it to) SUPERAntiSpyware Free for Home Users
    • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    • An icon will be created on your desktop. Double-click that icon to launch the program.
    • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
    • Under "Configuration and Preferences", click the Preferences button.
    • Click the Scanning Control tab.
    • Under Scanner Options make sure the following are checked (leave all others unchecked):
      • Close browsers before scanning.
      • Scan for tracking cookies.
      • Terminate memory threats before quarantining.
    • Click the "Close" button to leave the control center screen.
    • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    • On the left, make sure you check C:\Fixed Drive and all other fixed drives..
    • On the right, under "Complete Scan", choose Perform Complete Scan.
    • Click "Next" to start the scan. Please be patient while it scans your computer.
    • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    • Make sure everything has a checkmark next to it and click "Next".
    • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    • If asked if you want to reboot, click "Yes".
    • To retrieve the removal information after reboot, launch SUPERAntispyware again.
      • Click Preferences, then click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
      • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
    • Click Close to exit the program.


    Please perform a scan with Kaspersky Webscan Online Virus Scanner
    • Read the Requirements and Privacy statement, then select "Accept".
    • A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    • Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    • When the download is complete it will say ready, click "Next".
    • Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    • Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    • Click "OK".
    • Under "Select a target to scan", click on "My Computer".
    • When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  15. colossusofrhodes

    colossusofrhodes Thread Starter

    Joined:
    Apr 13, 2008
    Messages:
    21
    Here is my SUPERAntiSpyware Scan log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 04/19/2008 at 03:18 AM

    Application Version : 4.0.1154

    Core Rules Database Version : 3412
    Trace Rules Database Version: 1404

    Scan type : Complete Scan
    Total Scan Time : 01:44:21

    Memory items scanned : 495
    Memory threats detected : 1
    Registry items scanned : 7329
    Registry threats detected : 1
    File items scanned : 96331
    File threats detected : 1

    Adware.ClickSpring/Resident
    C:\WINDOWS\PPPATC~1\WWEXEC~1.EXE
    C:\WINDOWS\PPPATC~1\WWEXEC~1.EXE

    Rogue.SpyDefender Pro
    HKU\S-1-5-21-1417001333-813497703-839522115-1003\Software\SpyDefender

    Here is my HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:36:58 AM, on 4/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\winself.exe
    C:\Program Files\Spyware Doctor\svcntaux.exe
    C:\Program Files\Spyware Doctor\swdsvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Microsoft IntelliType Pro\type32.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Spyware Doctor\SDTrayApp.exe
    C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wbem\wmiprvse.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.com
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\wmsdkns.exe,
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: StFlex IE Helper - {8334A30C-49E5-489a-B63D-5B927C1EF46E} - C:\Program Files\QdrDrive\QdrDrive15.dll (file missing)
    O2 - BHO: (no name) - {A8EEB996-62AA-4E48-995D-EADDCAC47476} - C:\WINDOWS\system32\khfETlmj.dll
    O2 - BHO: (no name) - {CCFC3EAD-8064-D190-139B-D18F717F2E9B} - C:\WINDOWS\system32\bhgz.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [MP10_EnsureFileVer] C:\WINDOWS\inf\unregmp2.exe /EnsureFileVersions
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
    O4 - HKLM\..\Run: [HPWITOOLBOX] C:\Program Files\Hewlett-Packard\hp deskjet 9600 series\Toolbox\HPWITBX.exe "-i"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O4 - HKCU\..\Run: [Uaeu] "C:\DOCUME~1\RAYMON~1\APPLIC~1\ICROSO~1.NET\javaw.exe" -vt yazb
    O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\DOCUME~1\RAYMON~1\LOCALS~1\Temp\ie.exe
    O4 - HKCU\..\Run: [QdrModule15] "C:\Program Files\QdrModule\QdrModule15.exe"
    O4 - HKCU\..\Run: [Peopouk] C:\WINDOWS\?ppPatch\w?wexec.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Startup: Belkin Network USB Hub Control Center.lnk = C:\Program Files\Belkin\Network USB Hub Control Center\Connect.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - http://lads.myspace.com/upload/MySpaceUploader.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: khfETlmj - C:\WINDOWS\SYSTEM32\khfETlmj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: MSSysInterv (MSSysInterv1) - Unknown owner - C:\WINDOWS\winself.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

    --
    End of file - 8077 bytes

    I have not, to this point, run the Kaspersky Webscan, because I am still disconnected from my network and the internet as well. Is it safe to reconnect to the network and the internet yet without passing on infections through the network or internet (e-mail specifically)?

    Colossus of Rhodes
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/703515

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice