Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem with whataboutadog.com

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Problem with whataboutadog.com

Unread postby BladeRun » October 7th, 2007, 4:38 pm

Hello all,

I went through the procedure outlined elsewhere on this site:

Spybot
Ad-aware
Trojan Hunter

Then I used the online virus scanner.

The above fixed several problems, but I still have the b.whataboutadog listed in my IE history. Here is my Hijackthis log:
Please help :) Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 4:33:21 PM, on 10/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\eM\Bay Reader\bak\Shwicon2k.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: TB Class - {0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2} - C:\Program Files\WinBudget\bin\matrix.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\bak\freemem.exe" Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_ ... trfotr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_ ... ieplay.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packa ... anager.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesu ... .0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3150345984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9290932046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFBF8896-3B4D-4F52-8904-135495443220}: NameServer = 68.87.64.196,68.87.66.196
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am
Advertisement
Register to Remove

Unread postby Shaba » October 10th, 2007, 10:40 am

Hi BladeRun


Please download FindAWF and save it to your desktop

    * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.


**Do not run any other option unless directed to do so.**
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 10th, 2007, 1:58 pm

Shaba wrote:Hi BladeRun


Please download FindAWF and save it to your desktop

    * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**



Shaba,

Here is the log for the scan.
Thanks for helping :)


Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/10/2007
The current time is: 13:50:19.70


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

07/12/2002 06:15 AM 106,496 SiSUSBrg.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\ANTIVI~1\BAK

09/08/2007 12:03 PM 249,896 avgnt.exe
1 File(s) 249,896 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK

10/07/2007 03:15 PM 28,172 freemem.exe
1 File(s) 28,172 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/06/2005 07:03 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MI558C~1\BAK

03/15/2005 05:46 AM 196,608 type32.exe
1 File(s) 196,608 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/07/2007 03:15 PM 28,172 qttask.exe
1 File(s) 28,172 bytes

Directory of C:\PROGRA~1\TROJAN~1.0\BAK

09/09/2007 09:31 AM 1,046,688 THGuard.exe
1 File(s) 1,046,688 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 11:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\EM\BAYREA~1\BAK

07/04/2003 01:55 PM 135,168 Shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ROCKET~1\STARSKIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

01/24/2005 08:58 PM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\TGTSOFT\STYLEXP\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 12:35 PM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 7 2007 "C:\WINDOWS\SiSUSBrg.exe"
106496 Jul 12 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
249896 Oct 7 2007 "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe"
249896 Sep 8 2007 "C:\Program Files\AntiVir PersonalEdition Classic\bak\avgnt.exe"
229416 Jan 18 2006 "C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic\UPGRADE\basic\avgnt.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
28172 Oct 7 2007 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
28172 Oct 7 2007 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
28172 Oct 7 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
28172 Oct 7 2007 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
196608 Mar 15 2005 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
28172 Oct 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
28172 Oct 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
28172 Oct 7 2007 "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
1046688 Sep 9 2007 "C:\Program Files\TrojanHunter 5.0\bak\THGuard.exe"
28172 Oct 7 2007 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
28172 Oct 7 2007 "C:\Program Files\eM\Bay Reader\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Program Files\eM\Bay Reader\bak\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Drivers\Media Reader\program files\em\Bay Reader\shwicon2k.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
28172 Oct 7 2007 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
28172 Oct 7 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
28172 Oct 7 2007 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
28172 Oct 7 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
28172 Oct 7 2007 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
28172 Oct 7 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 10th, 2007, 2:06 pm

Hi

Double-click FindAWF.exe to start the tool.

  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:

    "C:\WINDOWS\bak\SiSUSBrg.exe"
    "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
    "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
    "C:\Program Files\QuickTime\bak\bak\qttask.exe"
    "C:\Program Files\TrojanHunter 5.0\bak\THGuard.exe"
    "C:\Program Files\Windows Defender\bak\MSASCui.exe"
    "C:\Program Files\eM\Bay Reader\bak\Shwicon2k.exe"
    "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
    "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
    "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
    "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


  • Close the .txt file and click 'Yes' to save the changes.
  • When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 10th, 2007, 3:28 pm

Shaba wrote:Hi

Please post the results of the awf.txt here.


Hello,

Here is the AWF log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/10/2007
The current time is: 15:25:30.79


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

07/12/2002 06:15 AM 106,496 SiSUSBrg.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\ANTIVI~1\BAK

09/08/2007 12:03 PM 249,896 avgnt.exe
1 File(s) 249,896 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/06/2005 07:03 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MI558C~1\BAK

03/15/2005 05:46 AM 196,608 type32.exe
1 File(s) 196,608 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\TROJAN~1.0\BAK

09/09/2007 09:31 AM 1,046,688 THGuard.exe
1 File(s) 1,046,688 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 11:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\EM\BAYREA~1\BAK

07/04/2003 01:55 PM 135,168 Shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ROCKET~1\STARSKIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

01/24/2005 08:58 PM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\TGTSOFT\STYLEXP\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 12:35 PM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

106496 Jul 12 2002 "C:\WINDOWS\SiSUSBrg.exe"
106496 Jul 12 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
249896 Oct 7 2007 "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe"
249896 Sep 8 2007 "C:\Program Files\AntiVir PersonalEdition Classic\bak\avgnt.exe"
229416 Jan 18 2006 "C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic\UPGRADE\basic\avgnt.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
196608 Mar 15 2005 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
196608 Mar 15 2005 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
1046688 Sep 9 2007 "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
1046688 Sep 9 2007 "C:\Program Files\TrojanHunter 5.0\bak\THGuard.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
135168 Jul 4 2003 "C:\Program Files\eM\Bay Reader\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Program Files\eM\Bay Reader\bak\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Drivers\Media Reader\program files\em\Bay Reader\shwicon2k.exe"
28176 Oct 2 2007 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
28176 Oct 2 2007 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 11th, 2007, 2:05 am

Hi

One more round is needed:

Double-click FindAWF.exe to start the tool.

  • Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:


    "C:\Program Files\FreeMem Standard\bak\freemem.exe"
    "C:\Program Files\QuickTime\bak\qttask.exe"


  • Close the .txt file and click 'Yes' to save the changes.
  • When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 16th, 2007, 12:18 am

Hi,

Sorry it took so long, was away from home for several days, here is the log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Tue 10/16/2007
The current time is: 0:13:12.28


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

07/12/2002 06:15 AM 106,496 SiSUSBrg.exe
1 File(s) 106,496 bytes

Directory of C:\PROGRA~1\ANTIVI~1\BAK

09/08/2007 12:03 PM 249,896 avgnt.exe
1 File(s) 249,896 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/06/2005 07:03 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MI558C~1\BAK

03/15/2005 05:46 AM 196,608 type32.exe
1 File(s) 196,608 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\TROJAN~1.0\BAK

09/09/2007 09:31 AM 1,046,688 THGuard.exe
1 File(s) 1,046,688 bytes

Directory of C:\PROGRA~1\WIFD1F~1\BAK

10/05/2006 11:11 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\EM\BAYREA~1\BAK

07/04/2003 01:55 PM 135,168 Shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ROCKET~1\STARSKIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

01/24/2005 08:58 PM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\TGTSOFT\STYLEXP\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATI.ACE\CORE-S~1\BAK

11/10/2006 12:35 PM 90,112 CLIStart.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

106496 Jul 12 2002 "C:\WINDOWS\SiSUSBrg.exe"
106496 Jul 12 2002 "C:\WINDOWS\bak\SiSUSBrg.exe"
249896 Oct 10 2007 "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe"
249896 Sep 8 2007 "C:\Program Files\AntiVir PersonalEdition Classic\bak\avgnt.exe"
229416 Jan 18 2006 "C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic\UPGRADE\basic\avgnt.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 6 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
196608 Mar 15 2005 "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
196608 Mar 15 2005 "C:\Program Files\Microsoft IntelliType Pro\bak\type32.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
1046688 Sep 9 2007 "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
1046688 Sep 9 2007 "C:\Program Files\TrojanHunter 5.0\bak\THGuard.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Oct 5 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
135168 Jul 4 2003 "C:\Program Files\eM\Bay Reader\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Program Files\eM\Bay Reader\bak\Shwicon2k.exe"
135168 Jul 4 2003 "C:\Drivers\Media Reader\program files\em\Bay Reader\shwicon2k.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
40048 May 11 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
90112 Nov 10 2006 "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak\CLIStart.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"


end of report
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 16th, 2007, 12:41 am

Hi

That's ok :)

Double-click FindAWF.exe to start the tool.

  • Select option #3 - Remove bak folders by typing 3 and press 'Enter'
  • A text file will open up. Please copy/paste the following bolded text into the text file:

    C:\WINDOWS\bak
    C:\Program Files\FreeMem Standard\bak
    C:\Program Files\FreeMem Standard\bak\bak
    C:\Program Files\iTunes\bak
    C:\Program Files\Microsoft IntelliType Pro\bak
    C:\Program Files\QuickTime\bak
    C:\Program Files\TrojanHunter 5.0\bak
    C:\Program Files\Windows Defender\bak
    C:\WINDOWS\system32\bak
    C:\Program Files\eM\Bay Reader\bak
    C:\Program Files\Adobe\Reader 8.0\Reader\bak
    C:\Program Files\Java\jre1.6.0_02\bin\bak
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\bak


  • Close the .txt file and click 'Yes' to save the changes.
  • When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 16th, 2007, 10:17 am

Hi,

Here is the log, its getting smaller :)


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 10/16/2007
The current time is: 10:12:05.31


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\ANTIVI~1\BAK

09/08/2007 12:03 PM 249,896 avgnt.exe
1 File(s) 249,896 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\FREEME~1\BAK\BAK

04/05/2000 09:03 AM 388,096 freemem.exe
1 File(s) 388,096 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK\BAK

12/25/2005 03:17 PM 155,648 qttask.exe
1 File(s) 155,648 bytes

Directory of C:\PROGRA~1\ROCKET~1\STARSKIN\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SONY\SONICS~1\BAK

01/24/2005 08:58 PM 81,920 SsAAD.exe
1 File(s) 81,920 bytes

Directory of C:\PROGRA~1\TGTSOFT\STYLEXP\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

249896 Oct 10 2007 "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe"
249896 Sep 8 2007 "C:\Program Files\AntiVir PersonalEdition Classic\bak\avgnt.exe"
229416 Jan 18 2006 "C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition classic\UPGRADE\basic\avgnt.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\freemem.exe"
388096 Apr 5 2000 "C:\Program Files\FreeMem Standard\bak\bak\freemem.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\qttask.exe"
155648 Dec 25 2005 "C:\Program Files\QuickTime\bak\bak\qttask.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\SsAAD.exe"
81920 Jan 24 2005 "C:\Program Files\Sony\SonicStage\bak\SsAAD.exe"


end of report
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 16th, 2007, 10:19 am

Hi

Delete these folders:

C:\Program Files\FreeMem Standard\bak\
C:\Program Files\FreeMem Standard\bak\bak
C:\Program Files\QuickTime\bak\bak
C:\Program Files\Sony\SonicStage\bak

Empty Recycle Bin

Post back a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 16th, 2007, 12:02 pm

Here is the new Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:04 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\bak\freemem.exe" Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_ ... trfotr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_ ... ieplay.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packa ... anager.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesu ... .0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3150345984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9290932046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFBF8896-3B4D-4F52-8904-135495443220}: NameServer = 68.87.64.196,68.87.66.196
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 16th, 2007, 12:38 pm

Hi

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O15 - Trusted Zone: *.whataboutadog.com


Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 16th, 2007, 3:28 pm

Here is the Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 16, 2007 3:25:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/10/2007
Kaspersky Anti-Virus database records: 436812
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 181994
Number of viruses found: 6
Number of infected objects: 47
Number of suspicious objects: 0
Duration of the scan process: 02:18:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\00659b1f74db83b23fc3a13ab45fe95d_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\037319c56872f05d0cb32d516369705c_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\03f9297a4c35371b630e789e6dff7618_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\04ccab8b04f58fc2bdcf87db3d2a1ddc_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\16b54760c0fc4e095e83228020b82709_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\172b7d14127f0b1831ca5868c2446587_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1866f8dfca1f4070a15f7dd8bbd60fe0_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1a6d61857b358cbbe043786cd6bb0652_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1c9db0c1be0b6750d9bdd92d1d91f953_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\281e36d61b5842da37dc86bd350f1e61_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2a54cb8665290552428768fe93493b69_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b72c67c3cbf8c96be5737e1b203b908_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3362277b0982eae8a7704810fa910220_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38623d2135990cb1d3107549588cd61c_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3aad5451889b817e64e57cf8fb76e6a7_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c6853d09414164c592bfbe2a55e5f4e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3e60665c7371bdb3e00cea62454338d5_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3fab83da98f95d6c6bb93ac67da46533_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\411d4a8bcf1738bc17c80e1542848212_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\413ea1b603454b84985e4d0fbff3a1aa_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\47a0feb64488b05bfc5a9530f05d3f2e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\49de3b482cfe7f5e2df0a32bba6a86e8_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4b2c52ee05cb3a1ce416e6a0d4a22ebe_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4eaa08f7d571ddcd456d17192e91a9c4_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\51032ed737c91f187e4b15cf5517bf81_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\54cdeefd3b05373aef540ad196cc0f4f_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5b1fd96da12b4e80000798a334260351_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5cf36bfd51318ec727c69ff313a02266_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\60c58334a8b8221312a31557c60370d2_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\629007b2722d7633a67ae2940ba86830_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6aac51785c1a498c63873abcad969c0c_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6b45714de3fdcb72e206970ad0b35379_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\715bb8085828ca75e62aa75f85b9bdc9_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7199916382ceedf0729f65adebe09c14_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\72b286cfecb78f983779019e91e40b6e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\75bbd257e3ef002e8db0e41a4c52b51f_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\78471d5e690306dfc743080ecf7b32b5_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7f874afa8cd0c86360d42ea6e991ac76_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\81f5040c5f497ed4c457ff04a2fbddfb_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\84fd677d6e09c14ec8a00509fe7d06cb_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\864629341135fc571b41b93121f9151f_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\88f831b1be640dcdce690ead04d78642_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d9dae3eebe95305992ecc0ea7dc8356_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\90404fac5a78082d260cbd6655a1befd_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\906d5e0ff295ef930c8b82627104abf1_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9976f5f68e5e852a22b2f30fb837c698_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9f3be6513ae09f074ba67d88ec5c7bc1_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a01f965f4f26bd120f75095cd9a739a1_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a2f7c82b3bdf561536785f45f2fb10c2_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a3012fc92257274f03636a896c61e75e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b19609daa905f373878412bd07f08a64_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b74975282842ac6e2b570b04ef7af42f_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c1376e6f271517cb3a5acba4addf6a42_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c255ffa82380bb4dc99cf018e31df7c8_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d5b40d7b67b6201fe3772da4b1239bae_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d635919e4132bf5f47cb775a41a78916_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dae7903eec1758359a5df6a3d7d4b452_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ddbef9356438b55b4ebd7bd66f9db92d_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\de11ed5ce10cdb871f4df6572a4bec0c_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\df1f7adf3e8e9fc6e73b21e18400e54c_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb20dd9c3ee1b78e73d6a08caa34971e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eb5ed337fecf2226c8633e53b0b211fc_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ec91f4938428683735bf9d6cf966e13e_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ef2dee8ff6f1a5adadc46adc75dcce95_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f48104128f739dfa53e71a87dce37680_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f6742127e12915efdf968d211056c0be_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7a2e10996a61751c5933f5a4e932f22_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fdabde614ca5968189f0ef118ff78807_1f11f89c-347f-4b31-8f0e-41015144312e Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-10072007-013310.log Object is locked skipped
C:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\ATI\ACE\Log\MOM-0.log Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{44C23963-285C-479C-BCC3-AF2B600B5180} Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF49A0.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temp\~DF49AC.tmp Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\AntiPhishing\CAE33426-F44F-405C-9719-08FC9932048E.dat Object is locked skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\1ON7XWVC\pez[1].exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\1ON7XWVC\pez[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\1ON7XWVC\pez[1].exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\1ON7XWVC\pez[1].exe NSIS: infected - 3 skipped
C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\T2K2UVD9\movie[1].qtl Infected: Exploit.Multi.Qtp.b skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\F.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\F.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\F.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\F.tmp NSIS: infected - 3 skipped
C:\Program Files\Adobe\m2.zip/m2/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\Adobe\m2.zip ZIP: infected - 1 skipped
C:\Program Files\ISM\BndDrive6.dll Infected: not-a-virus:AdWare.Win32.AdBand.b skipped
C:\Program Files\ISM\bndloader.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP898\A0121400.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP898\A0121407.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP898\A0121525.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP898\A0121525.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP898\A0121525.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP902\A0122715.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP902\A0122722.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.617 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP969\A0134492.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP969\A0134496.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP973\A0134772.rbf Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134839.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134840.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134841.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134843.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134844.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134845.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134846.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134847.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP976\A0134894.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135021.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135022.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135023.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135024.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135025.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135026.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135027.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135028.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135029.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135030.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135031.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135032.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP977\A0135045.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP978\A0136073.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP978\A0136074.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{A5D9CCDE-791E-4D4F-821A-ADE141134902}\RP980\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7AC8E99D-8D78-4C27-A0E1-84F50AD098BD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.








And here is the new Hijackthis report:

Logfile of HijackThis v1.99.1
Scan saved at 3:28:21 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\eM\Bay Reader\Shwicon2k.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndDrive2 BHO Class - {8C6D5A56-791E-4fe8-9D64-81781FA15D68} - C:\Program Files\ISM\BndDrive6.dll
O2 - BHO: TwcToolbarBhoApp Class - {AA1F9DDB-E605-4ba6-81D4-E427DEE012AD} - C:\WINDOWS\system32\TwcToolbarBho.dll
O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll
O4 - HKLM\..\Run: [showicon2k] C:\Program Files\\eM\Bay Reader\Shwicon2k.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\bak\freemem.exe" Startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {0EDE3059-2BF8-49C5-8640-4694550C444E} (IACache Class) - http://www.lotrdvd.com/dvdkey/extended_ ... trfotr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extended_ ... ieplay.dll
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packa ... anager.cab
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesu ... .0.6.0.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/resou ... NPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3150345984
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 9290932046
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{FFBF8896-3B4D-4F52-8904-135495443220}: NameServer = 68.87.64.196,68.87.66.196
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am

Unread postby Shaba » October 17th, 2007, 4:38 am

Hi

Please download ATF Cleaner by Atribune and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Empty this folder:

C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5\

Delete these:

C:\F.tmp
C:\Program Files\Adobe\m2.zip
C:\Program Files\ISM

Empty Recycle Bin

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Unread postby BladeRun » October 17th, 2007, 5:37 pm

Thanks very much :)

I followed all the instructions, but couldnt find this folder:


C:\Documents and Settings\Mom\Local Settings\Temporary Internet Files\Content.IE5

Other than that, everything looks good and acts fine. Thanks again!!!!!

Joe
BladeRun
Active Member
 
Posts: 10
Joined: October 7th, 2007, 10:01 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware