Unable to get rid of poping up ad pages in IE7

Hi. After reading other people's problems with that broadcaster.com popup virus, trojan or whatever. I followed the instructions there but the items found on those posts dont match with my HJT logs.

Please take a look at my log to see if you find whats wrong. There are popups of pages already preloaded of various anouncements even with ****. Please help if you can:

Logfile of HijackThis v1.99.1
Scan saved at 3:16:52 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Macromedia\FreeHand MX\FreeHand MX.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Adobe Photoshop CS\Photoshop.exe
C:\DOCUME~1\RAYMON~1.MFP\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\RAYMON~1.MFP\LOCALS~1\Temp\~e5d141.tmp
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59e75159-720b-4353-adb4-1e9b295ee1ad} - C:\WINDOWS\system32\cmpp32.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmpF.tmp.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\xxywts.dll ",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Getting Started with MacDrive 5.lnk = C:\Program Files\Mediafour\MacDrive5\MDGSTART.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - http://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O17 - HKLM\Software\..\Telephony: DomainName = mfpwhispanic.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cmpp32 - C:\WINDOWS\SYSTEM32\cmpp32.dll
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .net_5cciwl - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

Hi rrdvmail
Welcome to windowsbbs

Before we start any fixes I need to see this log.

Download FindAWF from the link below, saving to the desktop.

http://noahdfear.geekstogo.com/FindAWF.exe

Double click it to run and follow the prompts. Please post the contents of the AWF.txt log it creates.

Thanks
Geri

 

here it is:

Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 11:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\BITTOR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 08:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\DIGSTR~1\BAK

05/18/2005 02:49 PM 282,624 digstream.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006 04:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MIAF83~1\BAK

07/12/2005 03:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/31/2006 10:43 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

04/30/2001 04:57 PM 10,752 Winampa.exe
1 File(s) 10,752 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 06:00 AM 13,312 ctfmon.exe
08/13/2003 11:27 AM 28,672 DSentry.exe
2 File(s) 41,984 bytes

Directory of C:\PROGRA~1\COMMON~1\MEDIAF~1\BAK

12/17/2002 04:43 PM 61,440 MACVNTFY.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 08:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\GOOGLE\GMAILN~1\BAK

07/15/2005 05:48 PM 479,232 gnotify.exe
1 File(s) 479,232 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

11/06/2003 08:27 PM 303,104 pccntmon.exe
1 File(s) 303,104 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/16/2006 02:37 PM 3,334,144 YahooMessenger.exe
1 File(s) 3,334,144 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\ADOBEV~1\CONTRO~1\BAK

10/13/2003 04:24 PM 1,732,608 VersionCueTray.exe
1 File(s) 1,732,608 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/28/2004 03:43 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 02:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

02/07/2007 08:45 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113931~1\EE\BAK

05/09/2006 08:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of N:\HIAPAN~1\PEACHB~2\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~1\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~3\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of Y:\METRO1~1\UP~8~BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

37039 Apr 9 2007 "C:\WINDOWS\UpdReg.EXE "
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE "
50736 Mar 23 2007 "C:\Program Files\AIM6\aim6.exe "
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe "
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\aim6.exe "
37039 Apr 9 2007 "C:\Program Files\Dell Support\DSAgnt.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe "
37039 Apr 9 2007 "C:\Program Files\DIGStream\digstream.exe "
282624 May 18 2005 "C:\Program Files\DIGStream\bak\digstream.exe "
37039 Apr 9 2007 "C:\Program Files\iTunes\iTunesHelper.exe "
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
37039 Apr 9 2007 "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe "
37039 Apr 9 2007 "C:\Program Files\QuickTime\qttask.exe "
282624 Jul 31 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
37039 Apr 9 2007 "C:\Program Files\Winamp\Winampa.exe "
10752 Apr 30 2001 "C:\Program Files\Winamp\bak\Winampa.exe "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe "
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe "
37039 Apr 9 2007 "C:\WINDOWS\SYSTEM32\DSentry.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
37039 Apr 9 2007 "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE "
61440 Dec 17 2002 "C:\Program Files\Common Files\Mediafour\bak\MACVNTFY.EXE "
37039 Apr 9 2007 "C:\Program Files\Dell\Media Experience\PCMService.exe "
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
37039 Apr 9 2007 "C:\Program Files\Google\Gmail Notifier\gnotify.exe "
479232 Jul 15 2005 "C:\Program Files\Google\Gmail Notifier\bak\gnotify.exe "
37039 Apr 9 2007 "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe "
303104 Nov 6 2003 "C:\Program Files\Trend Micro\OfficeScan Client\bak\pccntmon.exe "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "
3334144 Jun 16 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe "
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe "
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "
37039 Apr 9 2007 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe "
61440 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe "
1732608 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe "
37039 Apr 9 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
180269 Oct 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
37039 Apr 9 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
37039 Apr 9 2007 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe "
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe "
3665920 Feb 14 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe "
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe "
37039 Apr 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe "
171448 Feb 7 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe "
37039 Apr 9 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe "
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe "
37039 Apr 9 2007 "C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe "
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\bak\AOLSoftware.exe "


end of report

 

Hi rrdvmail


This will take me a while to go through, in the mean time please do this.

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesful message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  • Under How to act?
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    • All checkboxes should be ticked.
  • Under Reports:
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
• When done, click the Save Scan Report button. (4)
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot.

Please run AWF again saving the new log.


Then Please give me a uninstall list.

To get an Uninstall List from HijackThis:

• Open HijackThis, click Config, click Misc Tools
• Click "Open Uninstall Manager "
• Click "Save List" (generates uninstall_list.txt)
• Click Save, copy and paste the results in your next post.

Please post the vundo log and the AVG Log the new AWF log uninstall list log and a new HJT log. (This may take more then one post to fit all the logs.)

Thanks
Geri

 

here are the vundo and the hjt. Ill work on the other stuff now. I am at the office and in about half an hour Ill be off so take your time on this. Cause Ill be back on Monday to take it from there. THANKS A LOT FOR YOUR VALUABLE HELP. THIS POPUP THING IS DRIVING ME NUTS.


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:07:05 PM 4/26/2007

Listing files found while scanning....


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:26:50 PM 4/26/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Attempting to delete C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:32:25 AM 4/27/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:20:50 PM 4/27/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Performing Repairs to the registry.
Done!

****************************************************

Logfile of HijackThis v1.99.1
Scan saved at 4:34:40 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59e75159-720b-4353-adb4-1e9b295ee1ad} - C:\WINDOWS\system32\cmpp32.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmpF.tmp.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe "
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Mediafour Mac Volume Notifications] "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE" /auto
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe "
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
O4 - HKLM\..\Run: [InfoData] rundll32.exe "C:\WINDOWS\xxywts.dll ",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Getting Started with MacDrive 5.lnk = C:\Program Files\Mediafour\MacDrive5\MDGSTART.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - http://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O17 - HKLM\Software\..\Telephony: DomainName = mfpwhispanic.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cmpp32 - cmpp32.dll (file missing)
O20 - Winlogon Notify: MacDrive-iTunes compatibility - C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .net_5cciwl - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

 

Hi
I really need those other logs to begin working on a fix.

Do you have any idea what this is? something to do with you ISP or company maybe?
Domain = mfpwhispanic.msft

Thanks
Geri

 

Hi rrdvmail
Please make sure to not delete the vundo back up files until we hear from attribune.

Please Upload the backup vundo files to

attribune at uploadmalware.com, Use the @ symbol in place of "at "

in notes say attn:attribune

In the body put this.

http://www.windowsbbs.com/showthread.php?t=64189 Malware? Vundo deleted.
C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll,
Geri

--------------

Thanks
Geri

 

Hi

We need to find the exact file/folder path for this... .net_5cciwl

To do this
Click on Start "“ Search "“ All Files and Folders "“ Put, .net_5cciwl in "All or part of the file name" spot. Scroll down and click on "More advanced options" Put a check on "Search system foldersâ€, Search hidden files and Folder" Search SubFolders. Click Search.
Write down the file/folder path that is given on the right side.
Please let me know what that is in your next post.

Geri

 

Hi GERI. Im back at the office today and we can continue with this as long as you have the time.

I just finished the AVG scan. and your instructions said to change all items in the list to QUARANTINE but there is a problem. most of them has that option in gray and not selectable. they are set to DELETE. at this point I stopped at this point o await your instructions on this. Do I continue to APPLY ALL ACTIONS with mos of the files set on DELETE?? I did a screen grab of the scan result but dont know how to include an attachment here.

Ill await for further instructions.

Im still running the search for the file you asked me to. Its takin an awful long time.

Let me know what to do with the AVG results.
Thanks!!

 

mfpwhispanic.msft I think it is for the outlook user profile for email client or something. mfpwhispanic is the name of the company I work for.

Another thing. You mention something about the Vundo backup files... I dont know what are those or where to find them. Once you tell me where to find them and I do, do I have to email them to the address you provided me with?

 

Hi:
I posted this a while ago but for some reason doesnt show. here it is again
the AVG report:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:41:54 PM 4/30/2007

+ Scan result:



C:\Program Files\Microsoft AntiSpyware\Quarantine\0A779D7D-87FF-4DE8-99A4-5DE162\23330334-B455-45C0-B9D6-10F883 -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\7251C789-7FC6-4159-AEE2-F9ACBC\36626705-B99E-4741-B868-2BD6FC -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\Quarantine\BEDC2550-CDC5-4975-89D9-541FC5\B2BFF6EE-377D-4B93-A969-06DC81 -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\digstream.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Dell Support\DSAgnt.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Dell\Media Experience\PCMService.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Google\Gmail Notifier\gnotify.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\Winamp\Winampa.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP544\A0241591.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP544\A0241624.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP659\A0249401.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP663\A0253951.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\DSentry.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\lsasss.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\WINDOWS\UpdReg.EXE -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
[1316] C:\WINDOWS\System32\DSentry.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
C:\Program Files\DIGStream\bak\digstream.exe -> Not-A-Virus.Downloader.Win32.DigStream.a : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.7:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.8:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.12:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.23:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.29:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.30:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.31:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.25:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Raymond.MFPWHISPANIC\Cookies\raymond@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.14:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.27:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.28:C:\Documents and Settings\Raymond.MFPWHISPANIC\Application Data\Mozilla\Profiles\default\46xmb8ks.slt\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end

 

another report you asked me for:


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 11:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\BITTOR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 08:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\DIGSTR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006 04:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MIAF83~1\BAK

07/12/2005 03:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/31/2006 10:43 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

04/30/2001 04:57 PM 10,752 Winampa.exe
1 File(s) 10,752 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 06:00 AM 13,312 ctfmon.exe
08/13/2003 11:27 AM 28,672 DSentry.exe
2 File(s) 41,984 bytes

Directory of C:\PROGRA~1\COMMON~1\MEDIAF~1\BAK

12/17/2002 04:43 PM 61,440 MACVNTFY.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 08:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\GOOGLE\GMAILN~1\BAK

07/15/2005 05:48 PM 479,232 gnotify.exe
1 File(s) 479,232 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

11/06/2003 08:27 PM 303,104 pccntmon.exe
1 File(s) 303,104 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/16/2006 02:37 PM 3,334,144 YahooMessenger.exe
1 File(s) 3,334,144 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\ADOBEV~1\CONTRO~1\BAK

10/13/2003 04:24 PM 1,732,608 VersionCueTray.exe
1 File(s) 1,732,608 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/28/2004 03:43 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 02:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

02/07/2007 08:45 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113931~1\EE\BAK

05/09/2006 08:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of N:\HIAPAN~1\PEACHB~2\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~1\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~3\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of Y:\METRO1~1\UP~8~BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE "
50736 Mar 23 2007 "C:\Program Files\AIM6\aim6.exe "
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe "
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\aim6.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe "
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe "
282624 Jul 31 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
10752 Apr 30 2001 "C:\Program Files\Winamp\bak\Winampa.exe "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe "
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
61440 Dec 17 2002 "C:\Program Files\Common Files\Mediafour\bak\MACVNTFY.EXE "
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
479232 Jul 15 2005 "C:\Program Files\Google\Gmail Notifier\bak\gnotify.exe "
303104 Nov 6 2003 "C:\Program Files\Trend Micro\OfficeScan Client\pccntMON.EXE "
303104 Nov 6 2003 "C:\Program Files\Trend Micro\OfficeScan Client\bak\pccntmon.exe "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "
3334144 Jun 16 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe "
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe "
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "
61440 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe "
1732608 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe "
180269 Oct 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe "
3665920 Feb 14 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe "
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe "
171448 Feb 7 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe "
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe "
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe "
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\bak\AOLSoftware.exe "


end of report

 

this is the uninstall list you asked me for:
3dk-mat-pack v.1205
ABBYY FineReader OCR Engine for Microtek
ABBYY PDF Transformer 1.0
ABBYY ScanTo Office 1.0
AceFTP 3 Freeware
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Creative Suite
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AIM 6
AVG Anti-Spyware 7.5
Bink and Smacker
Business Contact Manager for Outlook 2003
Click'N Design 3D
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Dell Support 5.0.0 (766)
Disney Motion
DVD Decrypter (Remove Only)
DVDSentry
EarthLink Setup Files
Easy CD Ripper 2.31
FrameForge 3D Studio Demo
GLOBEtrotter FLEXid Drivers
Google Earth
Google Gmail Notifier
Google Video Player
Hijackthis 1.99.1
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Business Inkjet 2600 Series Uninstaller
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet
InterActual Player
Internet Explorer Default Page
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2
Learn2 Player (Uninstall Only)
Lexmark Printer Software Uninstall
LimeWire
MacDrive 5
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks MX
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia FreeHand MX
Magic DVD Ripper V4.2
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft AntiSpyware
Microsoft FrontPage 2002
Microsoft GIF Animator
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Mozilla Firefox (2.0.0.3)
MSN Music Assistant
Music MasterWorks v3.91
MUSICMATCH® MX Web Player
Netscape 6 (6.2.3)
Pattern Piano and Keyboard Demo
Pinnacle device drivers
Pinnacle Hollywood FX 4.6
Pinnacle Studio AV/DV
Pinnacle Studio DC10plus
PowerDVD
PowerVideoMaker Professional 2.6.6
QuickTime
RealPlayer
ScanWizard 5
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Sentinel System Driver
SilverFast MicroSDK (Photoshop Plugin)
SilverFast MicroSDK (TWAIN Plugin)
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony Media Manager 2.0
Sony Vegas Movie Studio 6.0b
Sound Blaster Live!
Spybot - Search & Destroy 1.4
Studio 8
Super Mp3 Editor 5.0
Trend Micro OfficeScan Client
Trillian
Unreal Tournament 2004 Demo
Update for Windows Internet Explorer 7 (KB928089)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 7.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinMX
WinRAR archiver
WinZip
Yahoo! Address AutoComplete
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger

Just to let you know, Ive been getting an attempt of windows installer to intall or re-install mac drive 5 which is an app to read and access mac discs on a PC. I used to have it long time ago. Dont remember if I had it reinstalled here.

Let me know if you need anything else, please.

 

Hi

mac drive 5 is in your uninstall list, Do you use/need it? That is the file I want attribune to see. I'm not sure why Vundo killed it?

They shoud be here, C:\vundofix.Backups

Please do, attribune needs to see it. to see if it is infected or not.


OK looks like AVG did half the work for you.
What this "one" infection does is adds rouge files inplace of the good original files and moves the good files to a Back up folder.
AVG looks like it deleted all the bad ones, now you have to put the good ones back.

So here is what you need to do.

Open the bak folder within each file's location, then copy the original and paste it back into the directory AVG deleted the rogue from.

Example:
locate this folder
"C:\WINDOWS\UpdReg.EXE"
Copy and paste this one into it.
"C:\WINDOWS\bak\UpdReg.EXE "


"C:\WINDOWS\bak\UpdReg.EXE "
"C:\Program Files\Dell Support\bak\DSAgnt.exe "
"C:\Program Files\DIGStream\bak\digstream.exe "
"C:\Program Files\iTunes\bak\iTunesHelper.exe "
"C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe "
"C:\Program Files\QuickTime\bak\qttask.exe "
"C:\Program Files\Winamp\bak\Winampa.exe "
"C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
"C:\Program Files\Common Files\Mediafour\bak\MACVNTFY.EXE "
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
"C:\Program Files\Google\Gmail Notifier\bak\gnotify.exe "
"C:\Program Files\Trend Micro\OfficeScan Client\bak\pccntmon.exe "
"C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe "
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
"C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
"C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\b ak\GoogleToolbarNotifier.exe "
"C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe "
"C:\Program Files\Common Files\AOL\1139319968\ee\bak\AOLSoftware.exe "


Make sure you do each one, the BAK one you should delete after you put it back.
To check this after you put it back, right click on the original and click properties, you should see this, 90112 May 11 2000 (see your first AWF posting)

OK after that do this.

If there is an InstantAccess icon on the desktop, delete it.
If there is an AxFreePorn dialup connection present, delete it.

Download ATF Cleaner by Atribune and save it to your Desktop.

http://www.atribune.org/ccount/click.php?id=1

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin


The rest are optional - if you want it to remove everything it can, check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program to clean out their temporary files as well.

When you have finished, click on the Exit button in the Main menu.

Reboot, then run FindAWF again and post the log.

You have other nasties we need to get rid of. I would like the file path for this to send it to be scanned. .net_5cciwl
I believe it needs to be killed, but I'd like to find out what it is. If you find the path let me know.

You need to go to add/remove and remove this.
LimeWire
WinMX
P2P file sharing is a excelent way to become infected.

Please post the new AWF log and a new HJT log.

Thanks
Geri

 

I emailed the stuff you asked to attribune but recieved this reply by the system:

Hi. This is the qmail-send program at ip-208-109-17-89.ip.secureserver.net.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<attribune@uploadmalware.com>:
This address no longer accepts mail.


I also changed the files you told me to but there where some exceptions as I clarify here:

This file could not be found C:\Program Files\DIGStream\bak\digstream.exe

File in use "“ couldn’t replace it - "C:\Program Files\Trend Micro\OfficeScan Client\bak\pccntmon.exe "

for the rest, I was able to copy/paste as you told me bu those files when I select properties doesnt say what you specified in your last message, but It has the date of today. Dont know what has to do with it so let me know if I can continue with the rest of the instructions. By the way the MAC DRIVE program, I used it to open MAC cds but working became impossible with the insisting installer thing so I opt to uninstall the program itself and now it doesn't try to install itself over an over.

Im also running the search for the file you told me for the second time and it takes forever. So far the only finds are IIS6.LOG and hijackthis.log. Ill post this and when it finishes Ill let you know if something else came up

Ill await for further instructions regarding this last info I gave you.
Thanks GERI!!

 

well the search ended and didnt find that file you asked about

the only findings were the ones I told you on the last post.

IIS6.Log - C:\windows
hijackthis.log - C:\program files\Hijackthis

The file named .net_5cciwl didnt appear at all.

Let me know what to do next.

 

Hi rrdvmail

OK, lets see if it's still in a HJT log.

Please post a new AWF log and a new HJT log. So we can see what else needs fixing.

You will have to temporally shut down Trend to do this, after you do so, make sure you start trend back up again before doing any surfing on the net.

OK This file is in all your logs, Please double click on this folder "Disney Motion ", it may be inside that folder. If you don't use this then just delete it in add/remove. if you do use it then check that folder.
Here is what the file is for. This may not work unless we replace the file.

"DIGStream Cache Manager - part of ESPN Motion and Disney Motion that periodically check for new videos and indication they're available in the System Tray. Starting ESPN Motion/Disney Motion starts digstream automatically. "

Please post the new logs and let me know about the other two files.

Thanks
Geri

 

ABOUT TREND - I cannot find a way to turn the service off because is something that runs from the server I guess. Is called OFFICE SCAN CLIENT. The program itself doesnt even show in the toolbar at the right of the taskbar as other programs do where I can turn them off or exit them. I cannot even see it on the TASK MANAGER so I wouldnt be abel to turn it on again even if I could find a way to exit it.

ABOUT THE FILE FROM DISNEY MOTION- Forget it, I uninstalled the disney motion thing which I dont use. Does that gets rid of that particular file problem?

Out of curiosity... what does the AWF does? How can I quote as you do? Am I not supposed tu turn on the spyware program from AVG just yet?


Here is the HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 8:31:15 AM, on 5/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Macromedia\FreeHand MX\FreeHand MX.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccnt.exe
C:\Program Files\Hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59e75159-720b-4353-adb4-1e9b295ee1ad} - C:\WINDOWS\system32\cmpp32.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmpF.tmp.dll
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - http://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O17 - HKLM\Software\..\Telephony: DomainName = mfpwhispanic.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cmpp32 - cmpp32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .net_5cciwl - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Aslageol - RAVISENT Technologies Inc. - C:\WINDOWS\system32\drivers\CINEMST2.SYS
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



the AWF log


Find AWF report by noahdfear ©2006


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006 11:29 AM 50,736 aim6.exe
1 File(s) 50,736 bytes

Directory of C:\PROGRA~1\BITTOR~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\DELLSU~1\BAK

07/19/2004 08:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/14/2006 04:24 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\MIAF83~1\BAK

07/12/2005 03:35 PM 473,928 gcasServ.exe
1 File(s) 473,928 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

07/31/2006 10:43 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\WINAMP\BAK

04/30/2001 04:57 PM 10,752 Winampa.exe
1 File(s) 10,752 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/29/2002 06:00 AM 13,312 ctfmon.exe
08/13/2003 11:27 AM 28,672 DSentry.exe
2 File(s) 41,984 bytes

Directory of C:\PROGRA~1\COMMON~1\MEDIAF~1\BAK

12/17/2002 04:43 PM 61,440 MACVNTFY.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

08/26/2003 08:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes

Directory of C:\PROGRA~1\GOOGLE\GMAILN~1\BAK

07/15/2005 05:48 PM 479,232 gnotify.exe
1 File(s) 479,232 bytes

Directory of C:\PROGRA~1\TRENDM~1\OFFICE~1\BAK

11/06/2003 08:27 PM 303,104 pccntmon.exe
1 File(s) 303,104 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

06/16/2006 02:37 PM 3,334,144 YahooMessenger.exe
1 File(s) 3,334,144 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

08/06/2003 02:04 AM 114,741 tfswctrl.exe
1 File(s) 114,741 bytes

Directory of C:\PROGRA~1\ADOBE\ADOBEV~1\CONTRO~1\BAK

10/13/2003 04:24 PM 1,732,608 VersionCueTray.exe
1 File(s) 1,732,608 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

10/28/2004 03:43 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 01:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002 02:01 AM 135,264 diagent.exe
1 File(s) 135,264 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~3\121128~1.546\BAK

02/07/2007 08:45 AM 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

11/10/2005 01:03 PM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\113931~1\EE\BAK

05/09/2006 08:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of N:\HIAPAN~1\PEACHB~2\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~1\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of N:\HIAPAN~1\PEACHB~3\PEACHT~1\METRO1~1\UP~8~BAK

0 File(s) 0 bytes

Directory of Y:\METRO1~1\UP~8~BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE "
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE "
50736 Mar 23 2007 "C:\Program Files\AIM6\aim6.exe "
50736 Nov 7 2006 "C:\Program Files\AIM6\bak\aim6.exe "
50768 Aug 28 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\aim6.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\DSAgnt.exe "
306688 Jul 19 2004 "C:\Program Files\Dell Support\bak\DSAgnt.exe "
278528 Jun 14 2006 "C:\Program Files\iTunes\iTunesHelper.exe "
278528 Jun 14 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
473928 Jul 12 2005 "C:\Program Files\Microsoft AntiSpyware\bak\gcasServ.exe "
282624 Jul 31 2006 "C:\Program Files\QuickTime\qttask.exe "
282624 Jul 31 2006 "C:\Program Files\QuickTime\bak\qttask.exe "
10752 Apr 30 2001 "C:\Program Files\Winamp\Winampa.exe "
10752 Apr 30 2001 "C:\Program Files\Winamp\bak\Winampa.exe "
15360 Aug 4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe "
13312 Aug 29 2002 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\DSentry.exe "
28672 Aug 13 2003 "C:\WINDOWS\SYSTEM32\bak\DSentry.exe "
61440 Dec 17 2002 "C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE "
61440 Dec 17 2002 "C:\Program Files\Common Files\Mediafour\bak\MACVNTFY.EXE "
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\PCMService.exe "
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe "
479232 Jul 15 2005 "C:\Program Files\Google\Gmail Notifier\gnotify.exe "
479232 Jul 15 2005 "C:\Program Files\Google\Gmail Notifier\bak\gnotify.exe "
303104 Nov 6 2003 "C:\Program Files\Trend Micro\OfficeScan Client\pccntMON.EXE "
303104 Nov 6 2003 "C:\Program Files\Trend Micro\OfficeScan Client\bak\pccntmon.exe "
4670968 Mar 27 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "
3334144 Jun 16 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe "
114741 Aug 6 2003 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe "
114741 Aug 6 2003 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe "
1732608 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe "
61440 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe "
1732608 Oct 13 2003 "C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\bak\VersionCueTray.exe "
180269 Oct 28 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
180269 Oct 28 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe "
135264 Apr 3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe "
3665920 Feb 14 2006 "C:\Program Files\Google\Google Video Player\GoogleVideoPlayer.exe "
458820 Nov 17 2005 "C:\Program Files\Google\Google Earth\GoogleEarth.exe "
171448 Feb 7 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe "
171448 Feb 7 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe "
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe "
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe "
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe "
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe "
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1139319968\ee\bak\AOLSoftware.exe "


end of report

Thanks!

 

Hi rrdvmail
OK things are looking better.

That's OK it looks like it recreated the file itself.

Yes, so we won't worry about that.

AWF finds bak folders or back up folders. Some infections, such as this one, creates files and moves the good file to a back up, when this happens you are running all those programs from the infected files.

When you reply to a post, up at the top there is a quote box. If you put your cruser on it, it say,, "Wrap

 

the vundo log:

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:07:05 PM 4/26/2007

Listing files found while scanning....


VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:26:50 PM 4/26/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Attempting to delete C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll
C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:32:25 AM 4/27/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 4:20:50 PM 4/27/2007

Listing files found while scanning....

C:\Program Files\Common Files\Mediafour\MacDriveiTunesPatch.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.3.20

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 3:49:04 PM 5/4/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmpF.tmp.dll
C:\WINDOWS\system32\tmpF.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 5:00:53 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ofcdog.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntupd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Macromedia\FreeHand MX\FreeHand MX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.5.0_06\bin\jucheck.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\Acrodist.exe
C:\Program Files\Hijackthis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59e75159-720b-4353-adb4-1e9b295ee1ad} - C:\WINDOWS\system32\cmpp32.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmpF.tmp.dll (file missing)
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1139319968\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Uniblue Registry Booster2] C:\Program Files\Uniblue\RegistryBooster2\RegistryBooster.exe /S
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - http://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O17 - HKLM\Software\..\Telephony: DomainName = mfpwhispanic.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = mfpwhispanic.msft
O20 - AppInit_DLLs:
O20 - Winlogon Notify: cmpp32 - cmpp32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: .net_5cciwl - - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CA License Client (CA_LIC_CLNT) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmt.exe
O23 - Service: CA License Server (CA_LIC_SRVR) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\lic98rmtd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Event Log Watch (LogWatch) - Computer Associates - C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: OfficeScanNT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

See ya on Monday again. THANKS!!