25 replies to this topic

[CatByte]

Hi,

Please do the following:

Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A report should pop open for you. Please post the contents in your next reply.


NEXT

What antivirus do you have installed? You're showing Norton in your add/remove programs, but there is no indication of it in your log?
Has it expired and did you uninstall it?

If you need another antivirus, download ONE of the following, update it and run it...post the log

(If you are happy with Norton, update it and run it)

Avira AntiVir
Avast


NEXT

Update your Spybot Search and Destroy, run a scan and post the results

[T.C.]

I tried to copy and paste that file in the RUN box and an error message popped up saying it couldn't find it. Norton is on this computer but it's not active. My other question is... I have two other girls who work for me but they shouldn't be on the internet anyways. This computer is equipped with a PCI Card that can pick up an internet signal in the error. I don't want the girls using the internet while I'm not around. What can I do to stop them from using it? Every time I think I disabled the card... once you restart the computer the internet connection is open and LIVE. Just wondering what I could do that would be simple so they couldn't use the internet on this computer? Thanks! I will post the extra logs in a few minutes. Thanks!

[T.C.]

I tried to update Avira Virus program before it ran it's cycle but it wouldn't update. I ran it without an update and here is the log: Avira AntiVir Personal Report file date: Tuesday, November 10, 2009 10:04 Scanning for 1562564 virus strains and unwanted programs. Licensee : Avira AntiVir Personal - FREE Antivirus Serial number : 0000149996-ADJIE-0000001 Platform : Windows XP Windows version : (Service Pack 2) [5.1.2600] Boot mode : Normally booted Username : SYSTEM Computer name : SOUTHWESTBEACH Version information: BUILD.DAT : 9.0.0.407 17961 Bytes 7/29/2009 10:34:00 AVSCAN.EXE : 9.0.3.7 466689 Bytes 7/21/2009 19:36:14 AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 16:58:24 LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 17:35:49 LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 16:58:52 ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 18:30:36 ANTIVIR1.VDF : 7.1.4.132 5707264 Bytes 6/24/2009 15:21:42 ANTIVIR2.VDF : 7.1.4.253 1779200 Bytes 7/19/2009 04:08:01 ANTIVIR3.VDF : 7.1.5.19 139776 Bytes 7/23/2009 13:36:13 Engineversion : 8.2.0.228 AEVDF.DLL : 8.1.1.1 106868 Bytes 7/28/2009 19:31:50 AESCRIPT.DLL : 8.1.2.18 442746 Bytes 7/23/2009 15:59:39 AESCN.DLL : 8.1.2.4 127348 Bytes 7/23/2009 15:59:39 AERDL.DLL : 8.1.2.4 430452 Bytes 7/23/2009 15:59:39 AEPACK.DLL : 8.1.3.18 401783 Bytes 7/28/2009 19:31:50 AEOFFICE.DLL : 8.1.0.38 196987 Bytes 7/23/2009 15:59:39 AEHEUR.DLL : 8.1.0.143 1864055 Bytes 7/23/2009 15:59:39 AEHELP.DLL : 8.1.5.3 233846 Bytes 7/23/2009 15:59:39 AEGEN.DLL : 8.1.1.50 352629 Bytes 7/23/2009 15:59:39 AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 20:32:40 AECORE.DLL : 8.1.7.6 184694 Bytes 7/23/2009 15:59:39 AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 20:32:40 AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 14:47:59 AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 16:32:15 AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 20:34:28 AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 16:32:09 AVARKT.DLL : 9.0.0.3 292609 Bytes 3/24/2009 21:05:41 AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 16:37:08 SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 21:03:49 SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 14:21:33 NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 16:32:10 RCIMAGE.DLL : 9.0.0.25 2438913 Bytes 5/15/2009 21:39:58 RCTEXT.DLL : 9.0.37.0 86785 Bytes 4/17/2009 16:19:48 Configuration settings for the scan: Jobname.............................: Complete system scan Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp Logging.............................: low Primary action......................: interactive Secondary action....................: ignore Scan master boot sector.............: on Scan boot sector....................: on Boot sectors........................: C:, D:, Process scan........................: on Scan registry.......................: on Search for rootkits.................: on Integrity checking of system files..: off Scan all files......................: All files Scan archives.......................: on Recursion depth.....................: 20 Smart extensions....................: on Macro heuristic.....................: on File heuristic......................: medium Start of the scan: Tuesday, November 10, 2009 10:04 Starting search for hidden objects. '37102' objects were checked, '0' hidden objects were found. The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'SunTouch.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'iexplore.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'Ymsgr_tray.exe' - '1' Module(s) have been scanned Scan process 'X1Exec.exe' - '1' Module(s) have been scanned Scan process 'exec.exe' - '1' Module(s) have been scanned Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'exec.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned Scan process 'SymWSC.exe' - '1' Module(s) have been scanned Scan process 'EloDkMon.exe' - '1' Module(s) have been scanned Scan process 'WlanMon.exe' - '1' Module(s) have been scanned Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'qttask.exe' - '1' Module(s) have been scanned Scan process 'MDM.EXE' - '1' Module(s) have been scanned Scan process 'jqs.exe' - '1' Module(s) have been scanned Scan process 'EloSrvce.exe' - '1' Module(s) have been scanned Scan process 'AOLacsd.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 40 processes with 40 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Boot sector 'D:\' [INFO] No virus was found! Starting to scan executable files (registry). The registry was scanned ( '63' files ). Starting the file scan: Begin scan in 'C:\' <HP_PAVILION> C:\hiberfil.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\pagefile.sys [WARNING] The file could not be opened! [NOTE] This file is a Windows system file. [NOTE] This file cannot be opened for scanning. C:\Program Files\Common Files\Real\Update_OB\realsched.exe [DETECTION] Is the TR/Mitglider.WP Trojan C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [DETECTION] Is the TR/Mitglider.WP Trojan C:\Program Files\iTunes\iTunesHelper.exe [DETECTION] Is the TR/Mitglider.WP Trojan C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe [DETECTION] Is the TR/PSW.Stealer.724081 Trojan C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe [DETECTION] Contains recognition pattern of the DIAL/90112 dialer C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [DETECTION] Is the TR/Mitglider.WP Trojan C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP925\A0049182.pif [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted) C:\WINDOWS\SMINST\RECGUARD.EXE [DETECTION] Is the TR/Mitglider.WP Trojan C:\WINDOWS\system32\hkcmd.exe [DETECTION] Is the TR/Mitglider.WP Trojan C:\WINDOWS\system32\igfxtray.exe [DETECTION] Is the TR/Mitglider.WP Trojan Begin scan in 'D:\' <HP_RECOVERY> D:\I386\Apps\APP08006\App08006.exe [0] Archive type: ZIP SFX (self extracting) --> hp/tmp/src/SpyPreInstall.exe [1] Archive type: RSRC [DETECTION] Is the TR/Hijacker.Gen Trojan Beginning disinfection: C:\Program Files\Common Files\Real\Update_OB\realsched.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b5a8a1a.qua'! C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b6d8a1d.qua'! C:\Program Files\iTunes\iTunesHelper.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b6e8a0a.qua'! C:\Program Files\Online Services\NetscapeOnline\NSsetup.exe [DETECTION] Is the TR/PSW.Stealer.724081 Trojan [NOTE] The file was moved to '4b6c8a09.qua'! C:\Program Files\Online Services\PeoplePC\Utilities\AtlBrowser.exe [DETECTION] Contains recognition pattern of the DIAL/90112 dialer [NOTE] The file was moved to '4b658a2a.qua'! C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b5e8a1f.qua'! C:\System Volume Information\_restore{8F7A5040-9305-4BDA-A5EE-E7EE68E6A93B}\RP925\A0049182.pif [DETECTION] The file contains an executable program that is disguised by a harmless file extension (HIDDENEXT/Crypted) [NOTE] The file was moved to '4b2989e6.qua'! C:\WINDOWS\SMINST\RECGUARD.EXE [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b3c89fb.qua'! C:\WINDOWS\system32\hkcmd.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b5c8a21.qua'! C:\WINDOWS\system32\igfxtray.exe [DETECTION] Is the TR/Mitglider.WP Trojan [NOTE] The file was moved to '4b5f8a1d.qua'! D:\I386\Apps\APP08006\App08006.exe [NOTE] The file was moved to '4b698a26.qua'! End of the scan: Tuesday, November 10, 2009 10:41 Used time: 35:48 Minute(s) The scan has been done completely. 4862 Scanned directories 469760 Files were scanned 11 Viruses and/or unwanted programs were found 0 Files were classified as suspicious 0 files were deleted 0 Viruses and unwanted programs were repaired 11 Files were moved to quarantine 0 Files were renamed 2 Files cannot be scanned 469747 Files not concerned 14734 Archives were scanned 2 Warnings 13 Notes 37102 Objects were scanned with rootkit scan 0 Hidden objects were found

[CatByte]

Hi,

Please do the following:

Download FindAWF.exe from here or here, and save it to your desktop.

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• You will be presented with a Menu.
  

  1. Press 1 then Enter to scan for bak folders
  2. Press 2 then Enter to restore files from bak folders
  3. Press 3 then Enter to remove bak folders
  4. Press 4 then Enter to reset domain zones
  5. Press E then Enter to EXIT

• Press 1, then press Enter
• It may take a few minutes to complete so be patient.
• When it is complete, it will open a text file in notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[T.C.]

Find AWF report by noahdfear ©2006 Version 1.40 The current date is: 11/10/2009 The current time is: 11:48:10.59 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 06/04/2004 09:38 PM 286,720 iTunesHelper.exe 1 File(s) 286,720 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\WINDOWS\SMINST\BAK 04/14/2004 10:43 PM 233,472 RECGUARD.EXE 1 File(s) 233,472 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/21/2004 12:51 AM 118,784 hkcmd.exe 08/21/2004 12:55 AM 155,648 igfxtray.exe 2 File(s) 274,432 bytes Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK 11/10/2004 11:15 PM 111,816 ViewMgr.exe 1 File(s) 111,816 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/21/2004 08:39 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK 08/19/2003 10:01 AM 110,592 sgtray.exe 1 File(s) 110,592 bytes Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK 10/21/2004 07:27 PM 32,881 jusched.exe 1 File(s) 32,881 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" 118784 Aug 21 2004 "C:\hp\drivers\video_Intel\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\bak\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe" 155648 Aug 21 2004 "C:\hp\drivers\video_Intel\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe" 111816 Nov 10 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe" 180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" 149280 Nov 8 2009 "C:\Program Files\Java\jre6\bin\jusched.exe" 32881 Oct 21 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe" end of report

[CatByte]

Fix AWF Infection Step 2

Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\program files\Common Files\Real\Update_OB\bak\realsched.exe
c:\program files\Common Files\Sonic\Update Manager\bak\sgtray.exe
c:\program files\iTunes\bak\iTunesHelper.exe
c:\windows\SMINST\bak\RECGUARD.EXE
c:\windows\system32\bak\hkcmd.exe
c:\windows\system32\bak\igfxtray.exe
c:\program files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe

• Double-click on the FindAWF.exe file to run it.
• It will open a command prompt and ask you to "Press any key to continue".
• Press 2 then Enter
• Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
• Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
• The program will proceed to move the legit files and will perform another scan for bak folders.
• It may take a few minutes to complete, so please be patient.
• When it is complete, it will open a text file in Notepad called AWF.txt.
• Please copy and paste the contents of the AWF.txt file in your next reply.

[T.C.]

Find AWF report by noahdfear ©2006 Version 1.40 Option 2 run successfully The current date is: 11/14/2009 The current time is: 9:23:36.20 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\ITUNES\BAK 06/04/2004 09:38 PM 286,720 iTunesHelper.exe 1 File(s) 286,720 bytes Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Directory of C:\WINDOWS\SMINST\BAK 04/14/2004 10:43 PM 233,472 RECGUARD.EXE 1 File(s) 233,472 bytes Directory of C:\WINDOWS\SYSTEM32\BAK 08/21/2004 12:51 AM 118,784 hkcmd.exe 08/21/2004 12:55 AM 155,648 igfxtray.exe 2 File(s) 274,432 bytes Directory of C:\PROGRA~1\VIEWPO~1\VIEWPO~2\BAK 11/10/2004 11:15 PM 111,816 ViewMgr.exe 1 File(s) 111,816 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/21/2004 08:39 PM 180,269 realsched.exe 1 File(s) 180,269 bytes Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK 08/19/2003 10:01 AM 110,592 sgtray.exe 1 File(s) 110,592 bytes Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK 10/21/2004 07:27 PM 32,881 jusched.exe 1 File(s) 32,881 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 286720 Jun 4 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe" 233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE" 233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE" 118784 Aug 21 2004 "C:\WINDOWS\system32\hkcmd.exe" 118784 Aug 21 2004 "C:\hp\drivers\video_Intel\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\bak\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\hkcmd.exe" 118784 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\hkcmd.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\igfxtray.exe" 155648 Aug 21 2004 "C:\hp\drivers\video_Intel\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\bak\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\igfxtray.exe" 155648 Aug 21 2004 "C:\WINDOWS\system32\ReinstallBackups\0007\DriverFiles\igfxtray.exe" 111816 Nov 10 2004 "C:\Program Files\Viewpoint\Viewpoint Manager\bak\ViewMgr.exe" 180269 Oct 21 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe" 149280 Nov 8 2009 "C:\Program Files\Java\jre6\bin\jusched.exe" 32881 Oct 21 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe" end of report

[CatByte]

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the following bolded list of folders to be removed from the code box below.

C:\Program Files\iTunes\bak
C:\WINDOWS\SMINST\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\Viewpoint\Viewpoint Manager\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Sonic\Update Manager\bak
C:\Program Files\Java\j2re1.4.2_03\bin\bak

Click below the line of folders.txt and paste the list.
Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here.
______________________________________________________________________________

[T.C.]

Find AWF report by noahdfear ©2006 Version 1.40 Option 3 run successfully The current date is: 11/14/2009 The current time is: 19:07:27.54 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\MESSEN~1\BAK 0 File(s) 0 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ end of report

[CatByte]

The AWF infection generally adds entries to the registry that can give trusted permissions to many bad domains. Lets make sure we remove those.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
then press 1 to continue at the next screen.
This removes all entries from the domain zones.
At the next screen, press 1 to return to the main screen or E to exit.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT


NEXT

please do the following:

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c rd /f/a/q/s "C:\PROGRA~1\MESSEN~1\BAK"

[CatByte]

Due to inactivity this topic will be closed. If you need help please start a new thread.