18 replies to this topic

[karamazov]

Logfile of HijackThis v1.99.1
Scan saved at 1:46:05 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
E:\Program Files\Trillian\trillian.exe
e:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\CTPdeSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Hello\Desktop\Super Secret Porn.... And HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.tomcoyote.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [InvisibleBrowsing] C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MCW Startup] "E:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = E:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapte.lnk = C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...699/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Rogue]

Hi karamazov ,

Welcome to Tom Coyote Forums

Please observe these rules while we work:

• Perform all actions in the order given.
• If you don't know, stop and ask! Don't keep going on.
• Please reply to this thread. Do not start a new topic.
• Since there may be other issues with your system besides your original symptoms, please continue to follow this thread until I have given you an "All Clean.".

If you can do these things, everything should go smoothly.

Ready? Let's go.

*=========================*

Download FindAWFand save it to your desktop.
http://noahdfear.gee...com/FindAWF.exe* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
* It may take a few minutes to complete so be patient.
* When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
*=========================*

Create Uninstall List with Hijackthis
This is how you do that:
Open HiJackThis
Click on the tab "Open the Misc Tools Session"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and past the List from notepad into your post
*=========================*

Please post the following;

AWF.txt
Uninstall list

Thanks,
Rogue

[karamazov]

Find AWF report by noahdfear ©2006 bak folders found ~~~~~~~~~~~ Directory of C:\PROGRA~1\AIM\BAK 08/05/2005 03:08 PM 67,160 aim.exe 1 File(s) 67,160 bytes Directory of C:\PROGRA~1\MOTHER~1\BAK 06/12/2004 10:40 AM 594,944 MBM5.EXE 1 File(s) 594,944 bytes Directory of C:\PROGRA~1\PEERGU~1\BAK 09/18/2005 06:40 PM 1,421,824 pg2.exe 1 File(s) 1,421,824 bytes Directory of C:\PROGRA~1\PESTPA~1\BAK 01/10/2005 10:35 AM 73,728 CookiePatrol.exe 11/15/2004 12:49 PM 98,304 PPControl.exe 04/02/2004 04:11 PM 148,480 PPMemCheck.exe 3 File(s) 320,512 bytes Directory of C:\PROGRA~1\QUICKT~1\BAK 12/27/2004 12:47 PM 98,304 qttask.exe 1 File(s) 98,304 bytes Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK 11/29/2006 05:04 PM 406,016 avgcc.exe 1 File(s) 406,016 bytes Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK 10/04/2006 03:17 PM 185,784 realsched.exe 1 File(s) 185,784 bytes Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK 07/26/2006 03:03 AM 49,263 jusched.exe 1 File(s) 49,263 bytes Directory of E:\PROGRA~1\MONITO~1\BAK 12/28/2005 02:06 AM 768 Daniels.mcw 12/20/2002 06:06 PM 321,024 MCW.exe 12/13/2006 05:09 PM 768 STARTUP 3 File(s) 322,560 bytes Directory of E:\PROGRA~1\STEAM\BAK 10/08/2006 05:28 PM 1,249,280 Steam.exe 1 File(s) 1,249,280 bytes Directory of E:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BAK 04/26/2004 05:21 PM 270,336 BootSkin.exe 1 File(s) 270,336 bytes Duplicate files of bak directory contents ~~~~~~~~~~~~~~~~~~~~~~~ 67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe" 594944 Jun 12 2004 "C:\Program Files\Motherboard Monitor 5\MBM5.EXE" 594944 Jun 12 2004 "C:\Program Files\Motherboard Monitor 5\bak\MBM5.EXE" 1421824 Sep 18 2005 "C:\Program Files\PeerGuardian2\bak\pg2.exe" 73728 Jan 10 2005 "C:\Program Files\PestPatrol\CookiePatrol.exe1165978882" 73728 Jan 10 2005 "C:\Program Files\PestPatrol\bak\CookiePatrol.exe" 98304 Nov 15 2004 "C:\Program Files\PestPatrol\PPControl.exe1165978882" 98304 Nov 15 2004 "C:\Program Files\PestPatrol\bak\PPControl.exe" 148480 Apr 19 2003 "C:\Program Files\PestPatrol\PPMemCheck.exe1165978882" 148480 Apr 2 2004 "C:\Program Files\PestPatrol\bak\PPMemCheck.exe" 98304 Dec 27 2004 "C:\Program Files\QuickTime\bak\qttask.exe" 416256 May 1 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe" 406016 Nov 29 2006 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" 185784 Oct 4 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" 32881 Jun 3 2004 "C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe" 49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe" 768 Dec 28 2005 "E:\Program Files\Monitor Calibration Wizard\Daniels.mcw" 768 Dec 28 2005 "E:\Program Files\Monitor Calibration Wizard\bak\Daniels.mcw" 321024 Dec 20 2002 "E:\Program Files\Monitor Calibration Wizard\MCW.exe" 321024 Dec 20 2002 "E:\Program Files\Monitor Calibration Wizard\bak\MCW.exe" 39936 Aug 5 2005 "C:\Program Files\AIM\startup.ocm" 362577 Jan 28 2005 "C:\Program Files\Spybot - Search & Destroy\Updates\startup.zip" 362599 Sep 29 2006 "C:\Program Files\Spybot - Search & Destroy1\Updates\startup.zip" 16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\Destiny\Sounds\StartUp.wav" 16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\SilverMAX\Sounds\StartUp.wav" 16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\Visions\Sounds\StartUp.wav" 768 Mar 20 2007 "E:\Program Files\Monitor Calibration Wizard\STARTUP" 1885 May 14 2004 "E:\Games\UT2004\System\Startup.int" 768 Dec 13 2006 "E:\Program Files\Monitor Calibration Wizard\bak\STARTUP" 4331 Nov 19 2001 "E:\Games\Put Games Here\UT1\System\Startup.int" 129078 Oct 7 1999 "E:\Program Files\Winlogos\themes\Techno\Startup.bmp" 1259000 Jun 2 2007 "E:\Program Files\Steam\Steam.exe" 1249280 Oct 8 2006 "E:\Program Files\Steam\bak\Steam.exe" 270336 Apr 26 2004 "E:\Program Files\Stardock\WinCustomize\BootSkin\bak\BootSkin.exe" end of report 3DMark05 Ad-Aware SE Personal Adobe Flash Player 9 ActiveX Adobe Reader 7.0 Age of Empires III AIM 6.0 AOL Instant Messenger ATI Display Driver (Omega 2.6.87) ATI Remote Wonder 1.4 AVG 7.5 AVS DVD Player version 2.2 Battlefield 2™ Belarc Advisor 6.1 BootSkin C-Media 3D Audio Commando Realism Mod v2.6 Corel WordPerfect Suite 8 Creative Jukebox Driver Creative Removable Disk Manager Creative System Information Creative Zen Micro DawnOfWar DivX DivX Player Fable - The Lost Chapters FaxTools FileSpecs plug-in for Ad-Aware SE GameSpy Arcade Google Earth Guild Wars Half-Life Half-Life® 2 HexDump plug-in for Ad-Aware SE HijackThis 1.99.1 J2SE Runtime Environment 5.0 Update 8 Jasc Paint Shop Pro 9 Java 2 Runtime Environment, SE v1.4.2_05 KhalSetup Lavasoft Reghance 2.1 -licensed- Lavasoft VX2 Cleaner Lexmark 1200 Series LimeWire PRO 4.12.3 Logitech Desktop Messenger Logitech MouseWare 9.76 Logitech SetPoint LogonStudio LSP Explorer plug-in for Ad-Aware SE Macromedia Shockwave Player Messenger-Control plug-in for Ad-Aware SE Microsoft Halo Microsoft Office Professional Edition 2003 Microsoft Rise Of Nations Microsoft Visual C++ 2005 Redistributable Microsoft XML Parser and SDK Monitor Calibration Wizard 1.0 Motherboard Monitor 5 Mozilla (1.7.13) MSXML 4.0 SP2 Parser and SDK MSXML4 Parser MultiRes (remove only) Nero OEM NVIDIA nForce Drivers OE/W Messengerctrl plug-in for Ad-Aware SE Pinnacle USB device drivers PowerZone Script Project64 1.6 QuickTime Radeon Omega Drivers v2.6.87 Setup Files and Tools RadLinker RealPlayer Return to Castle Wolfenstein Rome - Total War™ Secure Delivery SmartFTP SmartFTP Client 2.0 SmartStartup Spybot - Search & Destroy 1.4 SpywareBlaster v3.5.1 SpywareGuard v2.2 Star Wars Republic Commando Demo Starcraft StarSkin 2.4.5.6 Steam Sygate Personal Firewall Thief 2 Demo TRENDnet TEW-441PC/TEW-443PI 802.11g Wireless Cardbus/PCI Adapter Driver and Utility Tribes 2 Tribes Vengeance Trillian Truck Dismount (remove only) Tweak-SE plug-in for Ad-Aware SE Ultimate Doom for Windows 95 Ventrilo Client VideoLAN VLC media player 0.8.4 Viewpoint Media Player VX2 Cleaner plug-in for Ad-Aware SE Winamp (remove only) Windows Installer 3.1 (KB893803) Windows Live Messenger Windows Live Sign-in Assistant Windows Media Format Runtime Windows Media Player 10 Windows XP Hotfix - KB834707 Windows XP Hotfix - KB867282 Windows XP Hotfix - KB873333 Windows XP Hotfix - KB873339 Windows XP Hotfix - KB885250 Windows XP Hotfix - KB885835 Windows XP Hotfix - KB885836 Windows XP Hotfix - KB886185 Windows XP Hotfix - KB887472 Windows XP Hotfix - KB888113 Windows XP Hotfix - KB888302 Windows XP Hotfix - KB890047 Windows XP Hotfix - KB890175 Windows XP Hotfix - KB891781 Windows XP Service Pack 2 Winlogos 1.0 WinPcap 3.1 WinRAR archiver World of Warcraft Yahoo! Install Manager

[Rogue]

Hi karamazov,

Restore Files
Open notepad.
Copy and paste the text inside the Quote Box below into Notepad

if exist "C:\Program Files\AIM\aim.exe" del /q "C:\Program Files\AIM\aim.exe"
copy /y "C:\Program Files\AIM\bak\aim.exe" "C:\Program Files\AIM\aim.exe"
if exist "C:\Program Files\Grisoft\AVG7\avgcc.exe" del /q "C:\Program Files\Grisoft\AVG7\avgcc.exe"
copy /y "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" "C:\Program Files\Grisoft\AVG7\avgcc.exe"
if exist "E:\Program Files\Steam\Steam.exe" del /q "E:\Program Files\Steam\Steam.exe"
copy /y "E:\Program Files\Steam\bak\Steam.exe" "E:\Program Files\Steam\Steam.exe"
if exist "C:\Program Files\QuickTime\qttask.exe" del /q "C:\Program Files\QuickTime\qttask.exe"
copy /y "C:\Program Files\QuickTime\bak\qttask.exe" "C:\Program Files\QuickTime\qttask.exe"
if exist "E:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" del /q "E:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe"
copy /y "E:\Program Files\Stardock\WinCustomize\BootSkin\bak\BootSkin.exe" "E:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe"

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: AWFFix.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on AWFFix.bat
*=========================*

Start HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - AppInit_DLLs:

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked
*=========================*

Please update Java Runtime Environment

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6.1 Update

• Go to Start > Control Panel double-click on the Software icon > add/remove programs.
• Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
  
  Java 2 Runtime Environment, SE v1.4.2_05
  J2SE Runtime Environment 5.0 Update 8
  
  It should have next icon next to it:
  Select it and click Remove.
• The current version can be downloaded from Sun here: http://java.sun.com/...loads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6u1'
  Selcted either Windows Online or Windows Offline download and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.

*=========================*

Re-Run FindAWF* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
* It may take a few minutes to complete so be patient.
* When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
*=========================*

Run Kapersky Online AV Scanner
Using Internet Explore Go to http://www.kaspersky.com/virusscanner and click the Kaspersky Online Scanner button.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer" and then put the kettle on!
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
*=========================*

Please post the following;

New hijackthis log
New AWF.txt
Kapersky Log
How system is behaving

Thanks,

Rogue

Edited by R0gue, 06 June 2007 - 06:19 PM.

[karamazov]

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: ) Error #5 - Invalid procedure call or argument Please email me at merijn@spywareinfo.com, reporting the following: * What you were trying to fix when the error occurred, if applicable * How you can reproduce the error * A complete HijackThis scan log, if possible Windows version: Windows NT 5.01.2600 MSIE version: 6.0.2900.2180 HijackThis version: 1.99.1 This message has been copied to your clipboard. Click OK to continue the rest of the scan. I got that error

[Rogue]

Hi karamazov, Thanks for letting me know. Not to worried about the message at this point. If you haven't already just continue on with the fix as outlined Thanks, Rogue

[karamazov]

Logfile of HijackThis v1.99.1
Scan saved at 1:17:03 AM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
E:\Program Files\Steam\Steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hello\Desktop\Super Secret Porn.... And HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.tomcoyote.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [InvisibleBrowsing] C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MCW Startup] "E:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = E:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapte.lnk = C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...699/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

==================================================================================


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 03:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\MOTHER~1\BAK

06/12/2004 10:40 AM 594,944 MBM5.EXE
1 File(s) 594,944 bytes

Directory of C:\PROGRA~1\PEERGU~1\BAK

09/18/2005 06:40 PM 1,421,824 pg2.exe
1 File(s) 1,421,824 bytes

Directory of C:\PROGRA~1\PESTPA~1\BAK

01/10/2005 10:35 AM 73,728 CookiePatrol.exe
11/15/2004 12:49 PM 98,304 PPControl.exe
04/02/2004 04:11 PM 148,480 PPMemCheck.exe
3 File(s) 320,512 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/27/2004 12:47 PM 98,304 qttask.exe
1 File(s) 98,304 bytes

Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

11/29/2006 05:04 PM 406,016 avgcc.exe
1 File(s) 406,016 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/04/2006 03:17 PM 185,784 realsched.exe
1 File(s) 185,784 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

07/26/2006 03:03 AM 49,263 jusched.exe
1 File(s) 49,263 bytes

Directory of E:\PROGRA~1\MONITO~1\BAK

12/28/2005 02:06 AM 768 Daniels.mcw
12/20/2002 06:06 PM 321,024 MCW.exe
12/13/2006 05:09 PM 768 STARTUP
3 File(s) 322,560 bytes

Directory of E:\PROGRA~1\STEAM\BAK

10/08/2006 05:28 PM 1,249,280 Steam.exe
1 File(s) 1,249,280 bytes

Directory of E:\PROGRA~1\STARDOCK\WINCUS~1\BOOTSKIN\BAK

04/26/2004 05:21 PM 270,336 BootSkin.exe
1 File(s) 270,336 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

67160 Aug 5 2005 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
594944 Jun 12 2004 "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
594944 Jun 12 2004 "C:\Program Files\Motherboard Monitor 5\bak\MBM5.EXE"
1421824 Sep 18 2005 "C:\Program Files\PeerGuardian2\bak\pg2.exe"
73728 Jan 10 2005 "C:\Program Files\PestPatrol\CookiePatrol.exe1165978882"
73728 Jan 10 2005 "C:\Program Files\PestPatrol\bak\CookiePatrol.exe"
98304 Nov 15 2004 "C:\Program Files\PestPatrol\PPControl.exe1165978882"
98304 Nov 15 2004 "C:\Program Files\PestPatrol\bak\PPControl.exe"
148480 Apr 19 2003 "C:\Program Files\PestPatrol\PPMemCheck.exe1165978882"
148480 Apr 2 2004 "C:\Program Files\PestPatrol\bak\PPMemCheck.exe"
98304 Dec 27 2004 "C:\Program Files\QuickTime\qttask.exe"
98304 Dec 27 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
416256 May 1 2007 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
406016 Nov 29 2006 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
185784 Oct 4 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe"
768 Dec 28 2005 "E:\Program Files\Monitor Calibration Wizard\Daniels.mcw"
768 Dec 28 2005 "E:\Program Files\Monitor Calibration Wizard\bak\Daniels.mcw"
321024 Dec 20 2002 "E:\Program Files\Monitor Calibration Wizard\MCW.exe"
321024 Dec 20 2002 "E:\Program Files\Monitor Calibration Wizard\bak\MCW.exe"
39936 Aug 5 2005 "C:\Program Files\AIM\startup.ocm"
362577 Jan 28 2005 "C:\Program Files\Spybot - Search & Destroy\Updates\startup.zip"
362599 Sep 29 2006 "C:\Program Files\Spybot - Search & Destroy1\Updates\startup.zip"
16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\Destiny\Sounds\StartUp.wav"
16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\SilverMAX\Sounds\StartUp.wav"
16812 Nov 19 2003 "C:\WINDOWS\Resources\Themes\Visions\Sounds\StartUp.wav"
768 Mar 20 2007 "E:\Program Files\Monitor Calibration Wizard\STARTUP"
1885 May 14 2004 "E:\Games\UT2004\System\Startup.int"
768 Dec 13 2006 "E:\Program Files\Monitor Calibration Wizard\bak\STARTUP"
4331 Nov 19 2001 "E:\Games\Put Games Here\UT1\System\Startup.int"
129078 Oct 7 1999 "E:\Program Files\Winlogos\themes\Techno\Startup.bmp"
1259000 Jun 2 2007 "E:\Program Files\Steam\Steam.exe"
1249280 Oct 8 2006 "E:\Program Files\Steam\bak\Steam.exe"
270336 Apr 26 2004 "E:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe"
270336 Apr 26 2004 "E:\Program Files\Stardock\WinCustomize\BootSkin\bak\BootSkin.exe"


end of report

==================================================================================

C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4af38191d2ab3248fc8eb14f36f9f1c9_5665b25f-fb83-4b68-ac04-9f5e355ecd5d Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip/Uninstall.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0005 Infected: Trojan-Clicker.Win32.VB.ex skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612 ZIP: infected - 16 skipped
C:\Documents and Settings\Hello\.housecall\Quarantine\20050127170952.zip.bac_a02612 CryptFF.b: infected - 16 skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0005 Infected: Trojan-Clicker.Win32.VB.ex skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612/Documents and Settings/Hello/Local Settings/Temp/bb.exe Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612 ZIP: infected - 16 skipped
C:\Documents and Settings\Hello\.housecall6.6\Quarantine\20050127170952.zip.bac_a02612 CryptFF.b: infected - 16 skipped
C:\Documents and Settings\Hello\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\History\History.IE5\MSHist012007060620070607\index.dat Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\Temp\~DF2A54.tmp Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\Temp\~DF4C68.tmp Object is locked skipped
C:\Documents and Settings\Hello\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hello\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hello\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe/data0004 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip/Program Files/AT-Games/WebRebates_Auto_InstallSilent.exe Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\Program Files\PestPatrol\Quarantine\20050202215309.zip ZIP: infected - 6 skipped
C:\Program Files\PestPatrol\Quarantine\20060508221511.zip/Documents and Settings/Hello/Desktop/Super Secret Porn.... And HJT/backups/backup-20060129-152747-601.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\PestPatrol\Quarantine\20060508221511.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{299937F3-0AFF-4179-94BC-F2DA8F7C36FE}\RP463\A0105757.exe Object is locked skipped
C:\System Volume Information\_restore{299937F3-0AFF-4179-94BC-F2DA8F7C36FE}\RP477\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\Program Files\Sygate\SPF\debug.log Object is locked skipped
E:\Program Files\Sygate\SPF\rawlog.log Object is locked skipped
E:\Program Files\Sygate\SPF\seclog.log Object is locked skipped
E:\Program Files\Sygate\SPF\syslog.log Object is locked skipped
E:\Program Files\Sygate\SPF\tralog.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{299937F3-0AFF-4179-94BC-F2DA8F7C36FE}\RP477\change.log Object is locked skipped
Scan process completed.


================================================================================

System is running like usual... lol.

Edited by karamazov, 07 June 2007 - 12:17 AM.

[Rogue]

Hi karamazov ,

ResetProtocolDefaults
http://www.mvps.org/...colDefaults.reg
Right click the link, save target as or save link as, and save to the Desktop.
Locate ResetProtocolDefaults.reg on the Desktop
Right-click and select: Merge
OK the prompt
*=========================*

Boot to Safe Mode
Please print the instructions below or copy and paste to Notepad since you will not have internet access while in Safe Mode.

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, continually press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

*=========================*

Restore Files
Open notepad.
Copy and paste the text inside the Quote Box below into Notepad

if exist "C:\Program Files\PeerGuardian2\pg2.exe" del /q "C:\Program Files\PeerGuardian2\pg2.exe"
copy /y "C:\Program Files\PeerGuardian2\bak\pg2.exe" "C:\Program Files\PeerGuardian2\pg2.exe"
if exist "C:\Program Files\Grisoft\AVG7\avgcc.exe" del /q "C:\Program Files\Grisoft\AVG7\avgcc.exe"
copy /y "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe" "C:\Program Files\Grisoft\AVG7\avgcc.exe"
if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
if exist "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" del /q "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
copy /y "C:\Program Files\Java\jre1.5.0_08\bin\bak\jusched.exe" "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
if exist "E:\Program Files\Steam\Steam.exe" del /q "E:\Program Files\Steam\Steam.exe"
copy /y "E:\Program Files\Steam\bak\Steam.exe" "E:\Program Files\Steam\Steam.exe"

In Notepad, go to File (upper menu bar), and select: Save as
In the Save as prompt:
Save in: Desktop
File Name: AWFFix.bat
Save as Type: All files
Click: Save
Exit out of Notepad.

Next, on the Desktop, double click on AWFFix.bat
*=========================*

Using Windows Explore navigate to and find following folders: if found, delete the following ;

C:\Documents and Settings\Hello\.housecall\Quarantine << Remove Contents of Folder Only
C:\Documents and Settings\Hello\.housecall6.6\Quarantine << Remove Contents of Folder Only
C:\Program Files\PestPatrol\Quarantine << Remove Contents of Folder Only

*=========================*


Restart your PC in Normal Mode
*=========================*

Open Spybot - Search & Destroy
On the left side, click "Recovery".
Note: If empty close SpyBot
Select (place a check) beside ALL the backup files that contain quarantined items.
Click on the Purge Selected Items button.
A dialog will appear, stating that the backup will be removed.
Click Yes. When the Recovery window is empty, Exit Spybot.
Run DelDomains
http://www.mvps.org/.../DelDomains.inf
To delete all entries in the Restricted & Trusted Zone list, right click DelDomains.inf
Select: Install
*=========================*

Post the following;

new hijackthis log

Thanks,

Rogue

Edited by R0gue, 07 June 2007 - 01:08 PM.

[karamazov]

Logfile of HijackThis v1.99.1
Scan saved at 3:31:50 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Logi_MwX.Exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
C:\WINDOWS\System32\svchost.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Hello\Desktop\Super Secret Porn.... And HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.tomcoyote.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [InvisibleBrowsing] C:\Program Files\Invisible Browsing\InvisibleBrowsing.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] "C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Steam] "E:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [MCW Startup] "E:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: LimeWire On Startup.lnk = E:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: 108Mbps Wireless LAN Adapte.lnk = C:\Program Files\TRENDnet\TEW-441PC_443PI\TRENDnet.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104fd.bay10...es/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driverage...driveragent.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...699/mcfscan.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: RadClock - Unknown owner - C:\WINDOWS\system32\RadClock.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - E:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

[Rogue]

Hi karamazov,

Please advise on any problems you may still have. :-

Uninstall Unnecessary Tools/Files

FindAWF.exe from Desktop
AWF.txt from desktop
AWFFix.bat from desktop
ResetProtocolDefaults.reg from desktop
DelDomains.inf from desktop

These were problem specific and were not intended for everyday use.
*========================*

Flush System Restore
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a Restore Point, and then click Ok

Next, go to Start > Run and type in cleanmgr
Select the More Options tab
Choose the option to Clean Up System Restore and select OK.
This will remove all restore points except the new one you just created
*========================*

This is my post for when you are All Clean - which you seem to be.

But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items or completed steps)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
  
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Click here for more information on -> Computer Safety On line - Anti-Virus
In case you do NOT have any antivirus software installed in your computer or yours has expired, you may use one of the following.

• AVG Free Edition
• Avast Home Edition
• BitDefender Free Edition
• ClamWin Free Antivirus
• A-Squared Free
• Antivir Personal Edition
• Active Virus Shield

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall - this keeps your computer safe from hackers AS WELL AS from several computer viruses (mostly worms) which spread through the internet by using security holes of Windows. Have in mind that these are FREE FULL versions of the software and they lack of some features available in their shareware versions. Nevertheless, the FREE versions are capable of providing a basic firewall protection to your computer.

• Kerio Personal Firewall
• ZoneAlarm©
• Outpost Free
• Comodo
• Sygate (not supported anymore but you can download from here

Click here for more information on Firewalls -> Computer Safety On line - Software Firewalls


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Set up system to ensure a regular update of the Operating System.

Automatically:

• On the Desktop, right-click My Computer.
• Click Properties.
• Click on Automatic Updates
• Check the option of choice (I use Automatic (Recommended)). If you use dial-up I would recommend using the
  Notify Me option so that you can download when you can afford the time and bandwidth overheads.
• Select the Day/Time of choice
• Click Apply
• Click OK

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

• Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
  This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  
• Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  
• Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and you are less susceptible to attacks.

Safe Surfing,

Rogue

[karamazov]

PC is running ok. AVG popped up with a trojan 2ish posts ago but after I followed your instructions AVG broke and wont run anymore. Also Peer Guadian wont work, either. But thank you for your help. It is greatly appreciated.

[Rogue]

GRRRRRR. I hope I didn’t do something really stupid. Will you please do me a favor and see if the following applications still run; Steam, Real Player, Stardock, Quicktime, and AOL IM (AIM)

[karamazov]

Thats a big N-O on any of those, chief. lol. Its all good. I'll reinstall

[Rogue]

Karamazov, I am truly sorry about misinterpreting the AWF log and putting you through reinstalling some applications. If you haven’t completed the installations yet I would very much appreciate you zipping up and sending me the .exes for those applications. Steam.exe realsched.exe avgcc.exe PeerGuardian2\pg2.exe AIM\aim.exe QuickTime\qttask.exe Stardock\WinCustomize\BootSkin\BootSkin.exe Something is not making sense to me on a couple. Sincerely, Rogue Email to hddofut AT aol.com

[karamazov]

Hey, its all good. lol. Not the end of the world. At least we got rid of all the stuffs, eh? The otheres, except for the orignal two (AVG, peerguardian) still work. The others just took forever to open up so I figured they werent gonna open lol.. You still want those two?

Edited by karamazov, 08 June 2007 - 10:07 AM.