virus help

donhu · 2007/10/29

Hi
I am hoping someone out there can help me. A couple weeks ago my computer started acting up and I knew I had a virus. After doing a hijack log I found something called "about a dog" or maybe "whataboutadog" (can't remember which). I tried everything I could think of to get rid of it, but it kept coming back. Last week I went through and deleted numerous programs/files that I didn't need anymore and the "dog" disappeared, it is no longer in my trusted sites and it seems the problems I was having are gone. As I heard this virus can be difficult to get rid of, I'm afraid it's still out there somewhere and I just can't see it- I really don't know that much about computers. I am posting my hijack log hoping someone can tell me if there is anything else that I need to lose and if the dog is really gone for good. I would really appreciate any help at all.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:04:05 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 9896 bytes

noahdfear · 2007/10/29

Welcome to WindowsBBS donhu

Note: You must be logged onto an account with administrator privileges to complete the following.

Download Deckard's System Scanner (dss.exe) to your desktop.

Close all applications and windows.

Double click on dss.exe to run it and follow the prompts.

When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

Please download FindAWF
Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, awf.txt will open. Please post it's contents here.

donhu · 2007/10/30

Hi Dave
Thanks for the help. Here are the logs....

Deckard's System Scanner v20071014.68
Run by Owner on 2007-10-30 21:35:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:35:30 PM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 9596 bytes

-- Files created between 2007-09-30 and 2007-10-30 -----------------------------

2007-10-29 20:28:20 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-29 19:15:27 0 d-------- C:\Program Files\STOPzilla!
2007-10-29 19:15:25 0 d-------- C:\Program Files\Common Files\iS3
2007-10-29 19:15:24 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-23 20:50:50 0 d-------- C:\Documents and Settings\Owner\Application Data\SpywareBot
2007-10-23 20:50:49 0 d-------- C:\Program Files\SpywareBot
2007-10-23 20:12:41 0 d-------- C:\Program Files\RegCure
2007-10-21 22:21:21 0 d-------- C:\DonnaDocs
2007-10-21 21:02:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-14 16:50:13 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-10-14 09:24:29 0 d--h----- C:\WINDOWS\PIF
2007-10-14 00:03:13 0 dr-h----- C:\$VAULT$.AVG
2007-10-14 00:01:18 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-14 00:00:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 23:59:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 23:59:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-11 14:53:16 0 d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2007-10-11 14:41:53 0 d-------- C:\Program Files\Trend Micro
2007-10-08 18:09:28 0 d-------- C:\WINDOWS\system32\yw1
2007-10-08 18:09:28 0 d-------- C:\WINDOWS\system32\sim7
2007-10-08 18:09:27 0 d-------- C:\WINDOWS\system32\ipz2
2007-10-08 18:08:54 0 d-------- C:\WINDOWS\system32\zp1
2007-10-05 20:18:00 0 d-------- C:\WINDOWS\system32\bak
2007-10-05 20:18:00 0 d-------- C:\WINDOWS\system\bak

-- Find3M Report ---------------------------------------------------------------

2007-10-29 19:17:23 0 d-------- C:\Program Files\iTunes
2007-10-29 19:15:25 0 d-------- C:\Program Files\Common Files
2007-10-22 09:56:21 0 d-------- C:\Program Files\TrueSwitchComcast
2007-10-05 20:25:42 0 d-------- C:\Program Files\QuickTime
2007-10-05 20:25:42 0 d-------- C:\Program Files\Multimedia Card Reader
2007-10-05 20:23:06 28172 --a------ C:\WINDOWS\system32\ps2.exe
2007-10-05 20:23:06 28172 --a------ C:\WINDOWS\system32\NeroCheck.exe
2007-10-05 20:23:06 28172 --a------ C:\WINDOWS\system32\hphmon05.exe
2007-10-05 20:16:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Real
2007-08-09 14:51:53 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [10/05/2007 08:23 PM]
"KBD "= "C:\HP\KBD\KBD.EXE" [10/05/2007 08:23 PM]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [10/05/2007 08:23 PM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [10/05/2007 08:23 PM]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [10/05/2007 08:23 PM]
"AGRSMMSG "= "AGRSMMSG.exe" [03/04/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"PS2 "= "C:\WINDOWS\system32\ps2.exe" [10/05/2007 08:23 PM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [02/23/2004 03:43 PM]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [10/05/2007 08:23 PM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [10/05/2007 08:23 PM]
"AlcxMonitor "= "ALCXMNTR.EXE" [09/07/2004 02:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\bak\qttask.exe" [04/27/2007 09:41 AM]
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/30/2007 11:42 AM]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [10/05/2007 08:23 PM]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [10/05/2007 08:23 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/23/2007 12:12 PM]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [10/22/2006 11:24 PM]
"RegistryMechanic "=" " []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify "= "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [10/05/2007 08:23 PM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 03:56 AM]
"MtdAcqu "= "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [10/05/2007 08:23 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [1/20/2004 11:59:55 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

-- End of Deckard's System Scanner: finished at 2007-10-30 21:35:48 ------------

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 10/30/2007
The current time is: 21:36:10.89

bak folders found
~~~~~~~~~~~

Directory of C:\HP\KBD\BAK

02/11/2003 11:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/01/2007 04:51 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 11:17 AM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 08:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/20/2007 10:01 PM 182 hpsysdrv.DAT
05/07/1998 08:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
08/21/2003 07:15 AM 483,328 hphmon05.exe
08/06/2001 08:03 PM 155,648 NeroCheck.exe
10/16/2002 07:57 PM 81,920 ps2.exe
4 File(s) 736,256 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

04/30/2007 11:42 AM 75,392 ashDisp.exe
1 File(s) 75,392 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK

03/08/2006 08:56 AM 278,528 MtdAcqu.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 07:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MICROS~4\OFFICE12\BAK

10/27/2006 12:47 AM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\ACROBAT\BAK

05/10/2007 10:46 PM 624,248 Acrotray.exe
1 File(s) 624,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/20/2004 11:22 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SHARED~2\BAK

10/21/2005 07:13 PM 163,840 RoxWatchTray.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 12:01 PM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 05:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

10/21/2005 12:47 AM 1,687,552 DrgToDsc.exe
1 File(s) 1,687,552 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/12/2003 08:23 AM 172,032 hpztsb08.exe
1 File(s) 172,032 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

28172 Oct 5 2007 "C:\hp\KBD\KBD.EXE "
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE "
257088 Jun 1 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
102400 Jun 16 2007 "C:\WINDOWS\Installer\{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}\iTunesIco.exe "
116288 Jun 1 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.2.0.35\iTunesSetupAdmin.exe "
28172 Oct 5 2007 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe "
28172 Oct 5 2007 "C:\Program Files\QuickTime\qttask.exe "
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe "
28172 Oct 5 2007 "C:\WINDOWS\SMINST\RECGUARD.EXE "
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE "
188 Oct 5 2007 "C:\WINDOWS\system\hpsysdrv.DAT "
182 Oct 20 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT "
28172 Oct 5 2007 "C:\WINDOWS\system\hpsysdrv.exe "
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
28172 Oct 5 2007 "C:\WINDOWS\system32\hphmon05.exe "
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe "
28172 Oct 5 2007 "C:\WINDOWS\system32\NeroCheck.exe "
155648 Aug 6 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe "
28172 Oct 5 2007 "C:\WINDOWS\system32\ps2.exe "
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE "
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe "
28172 Oct 5 2007 "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe "
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe "
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
65824 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe "
31016 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe "
620152 Oct 22 2006 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe "
624248 May 10 2007 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe "
28172 Oct 5 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
28172 Oct 5 2007 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
163840 Oct 21 2005 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\bak\RoxWatchTray.exe "
28172 Oct 5 2007 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
28172 Oct 5 2007 "C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe "
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe "
32881 Jan 20 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
28172 Oct 5 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe "
28172 Oct 5 2007 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
1687552 Oct 21 2005 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\bak\DrgToDsc.exe "
28172 Oct 5 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe "
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe "

end of report

noahdfear · 2007/10/30

You have an active AWF infection that has replaced legitmate files on your system with rogue copies. Lets get them restored and see if we can kill off the infection. Download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Highlight and copy the bolded list of files to be restored from below.

"C:\hp\KBD\bak\KBD.EXE "
"C:\Program Files\iTunes\bak\iTunesHelper.exe "
"C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe "
"C:\Program Files\QuickTime\bak\qttask.exe "
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE "
"C:\WINDOWS\system\bak\hpsysdrv.exe "
"C:\WINDOWS\system32\bak\hphmon05.exe "
"C:\WINDOWS\system32\bak\NeroCheck.exe "
"C:\WINDOWS\system32\bak\ps2.exe "
"C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe "
"C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
"C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe "
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe "
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
"C:\Program Files\Common Files\Roxio Shared\SharedCOM8\bak\RoxWatchTray.exe "
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
"C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe "
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe "
"C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\bak\DrgToDsc.exe "
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hp ztsb08.exe "

Double-click the FindAWF icon once again.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file will open called: files.txt
Click below the line[/b] and paste the list of files to be restored.

Next, close files.txt and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log. Please post the contents of the new awf.txt log here, then Reboot to allow ATF Cleaner to finish removing temps files that were in use.

donhu · 2007/10/31

I did as directed and here is the new log.

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Wed 10/31/2007
The current time is: 8:59:36.54

bak folders found
~~~~~~~~~~~

Directory of C:\HP\KBD\BAK

02/11/2003 11:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/01/2007 04:51 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 11:17 AM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 09:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 08:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/20/2007 10:01 PM 182 hpsysdrv.DAT
05/07/1998 08:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 03:56 AM 15,360 ctfmon.exe
08/21/2003 07:15 AM 483,328 hphmon05.exe
08/06/2001 08:03 PM 155,648 NeroCheck.exe
10/16/2002 07:57 PM 81,920 ps2.exe
4 File(s) 736,256 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

04/30/2007 11:42 AM 75,392 ashDisp.exe
1 File(s) 75,392 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK

03/08/2006 08:56 AM 278,528 MtdAcqu.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 07:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MICROS~4\OFFICE12\BAK

10/27/2006 12:47 AM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\ACROBAT\BAK

05/10/2007 10:46 PM 624,248 Acrotray.exe
1 File(s) 624,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/20/2004 11:22 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SHARED~2\BAK

10/21/2005 07:13 PM 163,840 RoxWatchTray.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 12:01 PM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 05:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

10/21/2005 12:47 AM 1,687,552 DrgToDsc.exe
1 File(s) 1,687,552 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/12/2003 08:23 AM 172,032 hpztsb08.exe
1 File(s) 172,032 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE "
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE "
257088 Jun 1 2007 "C:\Program Files\iTunes\iTunesHelper.exe "
257088 Jun 1 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
102400 Jun 16 2007 "C:\WINDOWS\Installer\{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}\iTunesIco.exe "
116288 Jun 1 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.2.0.35\iTunesSetupAdmin.exe "
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe "
282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe "
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe "
221184 Nov 3 2003 "C:\WINDOWS\SMINST\RECGUARD.EXE "
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE "
188 Oct 5 2007 "C:\WINDOWS\system\hpsysdrv.DAT "
182 Oct 20 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT "
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe "
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe "
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe "
155648 Aug 6 2001 "C:\WINDOWS\system32\NeroCheck.exe "
155648 Aug 6 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe "
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe "
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE "
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe "
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe "
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe "
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe "
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
65824 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe "
31016 Oct 27 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe "
624248 May 10 2007 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
624248 May 10 2007 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe "
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
163840 Oct 21 2005 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
163840 Oct 21 2005 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\bak\RoxWatchTray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe "
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe "
32881 Jan 20 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe "
1687552 Oct 21 2005 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
1687552 Oct 21 2005 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\bak\DrgToDsc.exe "
28172 Oct 5 2007 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe "
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe "

end of report

noahdfear · 2007/10/31

Good job! We need to re-do 1 file. The forum software added a space in the path that I didn't notice. Copy the bolded filepath below and run option 2 again with it. Post the new log.

"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe "

donhu · 2007/11/05

Hi Dave
Sorry it took so long for me to get back to you. I had to go out of town unexpectedly Fri and just got back. I did as directed and here is the new log.
Thanks
Donna

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 11/05/2007
The current time is: 20:47:14.20

bak folders found
~~~~~~~~~~~

Directory of C:\HP\KBD\BAK

02/11/2003 10:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

06/01/2007 03:51 PM 257,088 iTunesHelper.exe
1 File(s) 257,088 bytes

Directory of C:\PROGRA~1\MULTIM~1\BAK

10/29/2003 10:17 AM 135,168 shwicon2k.exe
1 File(s) 135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

04/27/2007 08:41 AM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SMINST\BAK

11/03/2003 07:50 PM 221,184 RECGUARD.EXE
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

10/20/2007 09:01 PM 182 hpsysdrv.DAT
05/07/1998 07:04 PM 52,736 hpsysdrv.exe
2 File(s) 52,918 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 02:56 AM 15,360 ctfmon.exe
08/21/2003 06:15 AM 483,328 hphmon05.exe
08/06/2001 07:03 PM 155,648 NeroCheck.exe
10/16/2002 06:57 PM 81,920 ps2.exe
4 File(s) 736,256 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

04/30/2007 10:42 AM 75,392 ashDisp.exe
1 File(s) 75,392 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK

03/08/2006 07:56 AM 278,528 MtdAcqu.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\HP\{45B61~1\BAK

08/21/2003 06:23 AM 49,152 hphupd05.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\MICROS~4\OFFICE12\BAK

10/26/2006 11:47 PM 31,016 GrooveMonitor.exe
1 File(s) 31,016 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~3.0\ACROBAT\BAK

05/10/2007 09:46 PM 624,248 Acrotray.exe
1 File(s) 624,248 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

01/20/2004 10:22 PM 151,597 realsched.exe
1 File(s) 151,597 bytes

Directory of C:\PROGRA~1\COMMON~1\ROXIOS~1\SHARED~2\BAK

10/21/2005 06:13 PM 163,840 RoxWatchTray.exe
1 File(s) 163,840 bytes

Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003 11:01 AM 110,592 sgtray.exe
1 File(s) 110,592 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\BIN\BAK

01/09/2004 04:34 AM 32,768 backupnotify.exe
1 File(s) 32,768 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK

07/12/2007 03:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK

10/20/2005 11:47 PM 1,687,552 DrgToDsc.exe
1 File(s) 1,687,552 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/12/2003 07:23 AM 172,032 hpztsb08.exe
1 File(s) 172,032 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE "
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE "
257088 Jun 1 2007 "C:\Program Files\iTunes\iTunesHelper.exe "
257088 Jun 1 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe "
102400 Jun 16 2007 "C:\WINDOWS\Installer\{553E56C3-7AA1-45FE-A2FC-2C43DC27F765}\iTunesIco.exe "
116288 Jun 1 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.2.0.35\iTunesSetupAdmin.exe "
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
135168 Oct 29 2003 "C:\Program Files\Multimedia Card Reader\bak\shwicon2k.exe "
282624 Apr 27 2007 "C:\Program Files\QuickTime\qttask.exe "
282624 Apr 27 2007 "C:\Program Files\QuickTime\bak\qttask.exe "
221184 Nov 3 2003 "C:\WINDOWS\SMINST\RECGUARD.EXE "
221184 Nov 3 2003 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE "
188 Nov 5 2007 "C:\WINDOWS\system\hpsysdrv.DAT "
182 Oct 20 2007 "C:\WINDOWS\system\bak\hpsysdrv.DAT "
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe "
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe "
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe "
483328 Aug 21 2003 "C:\WINDOWS\system32\hphmon05.exe "
483328 Aug 21 2003 "C:\WINDOWS\system32\bak\hphmon05.exe "
155648 Aug 6 2001 "C:\WINDOWS\system32\NeroCheck.exe "
155648 Aug 6 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe "
81920 Oct 16 2002 "C:\WINDOWS\system32\ps2.exe "
81920 Oct 16 2002 "C:\hp\drivers\keyboard\PS2.EXE "
81920 Oct 16 2002 "C:\WINDOWS\system32\bak\ps2.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe "
75392 Apr 30 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe "
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe "
278528 Mar 8 2006 "C:\Program Files\Creative\MediaSource5\bak\MtdAcqu.exe "
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe "
49152 Aug 21 2003 "C:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\bak\hphupd05.exe "
65824 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe "
31016 Oct 26 2006 "C:\Program Files\Microsoft Office\Office12\bak\GrooveMonitor.exe "
624248 May 10 2007 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
624248 May 10 2007 "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\bak\Acrotray.exe "
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe "
151597 Jan 20 2004 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe "
163840 Oct 21 2005 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
163840 Oct 21 2005 "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\bak\RoxWatchTray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe "
110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe "
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe "
32768 Jan 9 2004 "C:\Program Files\HP\Digital Imaging\bin\bak\backupnotify.exe "
32881 Jan 20 2004 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe "
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe "
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe "
1687552 Oct 20 2005 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
1687552 Oct 20 2005 "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\bak\DrgToDsc.exe "
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe "
172032 Mar 12 2003 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb08.exe "

end of report

noahdfear · 2007/11/05

Well done!

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Highlight and copy the bolded list below, then click below the line in folders.txt and paste the list of folders to be removed:

C:\HP\KBD\BAK
C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\MULTIM~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SMINST\BAK
C:\WINDOWS\SYSTEM\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ALWILS~1\AVAST4\BAK
C:\PROGRA~1\CREATIVE\MEDIAS~1\BAK
C:\PROGRA~1\HP\{45B61~1\BAK
C:\PROGRA~1\MICROS~4\OFFICE12\BAK
C:\PROGRA~1\ADOBE\ACROBA~3.0\ACROBAT\BAK
C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
C:\PROGRA~1\COMMON~1\ROXIOS~1\SHARED~2\BAK
C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK
C:\PROGRA~1\HP\DIGITA~1\BIN\BAK
C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

Close folders.txt and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

donhu · 2007/11/08

Ok, here's the new log.

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Thu 11/08/2007
The current time is: 19:46:07.10

bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

noahdfear · 2007/11/08

Great!

Run FindAWF again and select Option 4. Once completed resetting the IE zones you can select the Exit option.

Then please run a new Deckard's scan and post the main.txt
Let me know how your computer is behaving and what problems you may have.

donhu · 2007/11/11

Here's the new scan. I honestly can't say how the computer is running because I've been sick and haven't been on it much the last few days. I did get a message yesterday that said HP updates could not access it's file.... I wonder (just by the size of the log) if there's stuff here that shouldn't be. Are all these necessary?
Thanks
Donna

Deckard's System Scanner v20071014.68
Run by Owner on 2007-11-11 19:38:17
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:30 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\MediaSource5\MtdAcqu.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe "
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe "
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe "
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 10109 bytes

-- Files created between 2007-10-11 and 2007-11-11 -----------------------------

2007-10-31 07:59:34 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe <Not Verified; Ahead Software Gmbh; Ahead Software Gmbh NeroCheck>
2007-10-29 19:28:20 0 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-29 18:15:27 0 d-------- C:\Program Files\STOPzilla!
2007-10-29 18:15:25 0 d-------- C:\Program Files\Common Files\iS3
2007-10-29 18:15:24 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2007-10-23 19:50:50 0 d-------- C:\Documents and Settings\Owner\Application Data\SpywareBot
2007-10-23 19:12:41 0 d-------- C:\Program Files\RegCure
2007-10-21 21:21:21 0 d-------- C:\DonnaDocs
2007-10-21 20:02:57 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-10-14 15:50:13 63 --a------ C:\WINDOWS\system\SysSD.dll
2007-10-14 08:24:29 0 d--h----- C:\WINDOWS\PIF
2007-10-13 23:03:13 0 dr-h----- C:\$VAULT$.AVG
2007-10-13 23:01:18 0 d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-13 23:00:53 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-13 22:59:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-13 22:59:59 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-10-11 13:53:16 0 d-------- C:\Documents and Settings\Owner\Application Data\HouseCall 6.6
2007-10-11 13:41:53 0 d-------- C:\Program Files\Trend Micro

-- Find3M Report ---------------------------------------------------------------

2007-11-08 19:46:05 0 d-------- C:\Program Files\QuickTime
2007-11-08 19:46:05 0 d-------- C:\Program Files\Multimedia Card Reader
2007-11-08 19:46:05 0 d-------- C:\Program Files\iTunes
2007-10-29 18:15:25 0 d-------- C:\Program Files\Common Files
2007-10-22 08:56:21 0 d-------- C:\Program Files\TrueSwitchComcast
2007-10-05 19:16:23 0 d-------- C:\Documents and Settings\Owner\Application Data\Real

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv "= "c:\windows\system\hpsysdrv.exe" [05/07/1998 07:04 PM]
"KBD "= "C:\HP\KBD\KBD.EXE" [02/11/2003 10:02 PM]
"UpdateManager "= "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 11:01 AM]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/20/2004 10:22 PM]
"Recguard "= "C:\WINDOWS\SMINST\RECGUARD.EXE" [11/03/2003 07:50 PM]
"AGRSMMSG "= "AGRSMMSG.exe" [03/04/2005 11:01 AM C:\WINDOWS\AGRSMMSG.exe]
"PS2 "= "C:\WINDOWS\system32\ps2.exe" [10/16/2002 06:57 PM]
"NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [02/23/2004 02:43 PM]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [10/29/2003 10:17 AM]
"HPDJ Taskbar Utility "= "C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [03/12/2003 07:23 AM]
"AlcxMonitor "= "ALCXMNTR.EXE" [09/07/2004 01:47 PM C:\WINDOWS\ALCXMNTR.EXE]
"QuickTime Task "= "C:\Program Files\QuickTime\bak\qttask.exe" []
"avast! "= "C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04/30/2007 10:42 AM]
"RoxioDragToDisc "= "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [10/20/2005 11:47 PM]
"RoxWatchTray "= "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [10/21/2005 06:13 PM]
"AVG7_CC "= "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [10/23/2007 11:12 AM]
"Acrobat Assistant 8.0 "= "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [05/10/2007 09:46 PM]
"RegistryMechanic "=" " []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify "= "c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" [01/09/2004 04:34 AM]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]
"MtdAcqu "= "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" [03/08/2006 07:56 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Updates from HP.lnk - C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe [1/20/2004 10:59:55 PM]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

-- End of Deckard's System Scanner: finished at 2007-11-11 19:38:51 ------------

noahdfear · 2007/11/11

Most everything looks to be in order. Just a couple of things left to do.

Copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task "=-
"RegistryMechanic "=-
Click to expand...

Double click fix.reg and allow it to merge with the registry.

RegCure and SpywareBot are both less than desirable programs and I recommend you remove them. Open Add/Remove programs and uninstall them, if listed, then delete their folders.

C:\Documents and Settings\Owner\Application Data\SpywareBot << Application Data folder is hidden. You will need to show hidden files and folders to see it.
C:\Program Files\RegCure
C:\Program Files\SpywareBot

Lets run an online scan to see if we've missed anything. Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:

Once the files have been downloaded click on NEXT

Now click on Scan Settings

In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:

Select My Computer

This will program will start and scan your system.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

Save the file to your desktop.

Post the Kaspersky log

donhu · 2007/11/12

Ok, here's the scan log. Doesn't look good does it? I don't understand how it can still be so bad. Is this hopeless?
Donna

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 10:16:35 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/11/2007
Kaspersky Anti-Virus database records: 457319
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
H:\
I:\
J:\
L:\

Scan Statistics:
Total number of scanned objects: 131659
Number of viruses found: 13
Number of infected objects: 64
Number of suspicious objects: 0
Duration of the scan process: 02:12:22

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20071030213523\backup\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virusownloader.Win32.PopCap.b skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager8\Album.ldb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager8\Album.psod Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4245.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4251.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071014-163343-996.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chandir.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\chn.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\D0000000.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\inuse.txt Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\L0000002.FCS Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\main.log Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_die.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_dnd.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_ext.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\prs_rcv.idx Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.dat Object is locked skipped
C:\Program Files\Updates from HP\137903\Users\Default\Data\storydb.idx Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Hammer.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ekcyitir.exe.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\q21\ade83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\q21\ade83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\ubqwonix.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP302\A0140026.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP302\A0140033.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP303\A0140213.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP303\A0140215.exe Infected: not-a-virusownloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP304\A0140441.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP304\A0140443.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP304\A0140462.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP304\A0142035.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP305\A0142183.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP306\A0142230.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP307\A0142385.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP307\A0142395.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142504.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142514.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142811.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142899.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0003/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0003 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0005 Infected: Trojan-Downloader.Win32.Small.fxy skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0006/stream/data0002 Infected: not-a-virusownloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0006/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe/data0006 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0142908.exe NSIS: infected - 9 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP308\A0143052.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143057.exe Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143058.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143065.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143065.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143066.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.f skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP309\A0143131.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP311\A0143427.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP311\A0143428.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143562.EXE Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143563.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143564.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143565.EXE Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143566.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143567.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143568.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143569.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143570.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143572.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143573.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143574.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143575.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143576.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP313\A0143577.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP314\A0144710.exe Infected: Trojan.Win32.Agent.bxj skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP314\A0144889.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.c skipped
C:\System Volume Information\_restore{7F7BE6F8-0D6A-488B-ABDC-75393719A72D}\RP315\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ctfmon.exe.tmp Infected: Trojan.Win32.Agent.bxj skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream/data0002 Infected: not-a-virusownloader.Win32.Agent.q skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\system32\sim7\isrven2.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\system32\sim7\isrven2.exe NSIS: infected - 3 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\JET4AEE.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_650.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

noahdfear · 2007/11/12

You're in good shape.

Actually only 2 infected files left to remove. Delete the following.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\sim7\isrven2.exe

Open HijackThis to the Misc Tools section then click Backups. Remove them all.

Delete the following folders.

C:\Deckard
C:\qoobox

You should also delete dss.exe and ComboFix.exe if you still have them.

Next, download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Reboot

If you're satisfied that the computer is working properly, clear the System Restore points. They are infected.

Clear past system restore points and create a new one.
Right click My Computer and select Properties. On the System Restore tab, check the box to turn System Restore off. Click Apply. Now, uncheck the box and click Apply. Click OK, then OK to close the System Properties dialog.

Verify a new restore point was created.
Click Start>All Programs>Accessories>System Tools>System Restore
Select 'Restore my computer to an earlier time', then click next.
You should have a newly created System Checkpoint available. If so, click Cancel. If not, click Back and select 'Create a restore point' then click Next. Give the restore point a name and click next.

Your computer is now clean! Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

Log in or Sign up

virus help

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

virus help

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

donhu Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches