Nebular S & Outerinfo & others (Please help)

BullGuard Antivirus Forum > Virus Removal > Removal Help > Nebular S & Outerinfo & others (Please help)

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 7:15 (GMT +1)

I recently scanned my computer with

Yahoo Anti-Spy and I found ' Nebular S '.

Of course, I removed it.

But minutes later I scanned again and it was still there!

Ive tried everything to remove it.

I also have a green bubble on the tool bar (by the time)

It has a '!' saying my computer could be at risk.

I've never seen it before.

& when I right click, and click 'close'

two popups appear.

one saying ' your computer is running slower etcetc ''

and it says to download something.

and when you close out of that popup, one popups again

trying to get me to download a virus scanner.

Also I'll have a blue bubble appear there. " Outerinfo"
I can go to the Add & Remove Programs

and remove it, But it also comes back.

I also have a traingle with a '!' inside it saying

Windows Antivirus.

When I click it, it bring up popups.

Even when I right click it.

I also have a red X that brings

almost the same thing up.

A couple nights ago I was

attacked with Virus's.

Trojans.

I use AVG 7.5 (Free Version)

And the ' Threat Detected ' pop-up appeared

5 or 6 times. I healed the virus's.

But they keep coming back.

I can't remove Nebular S, Nor any others.

Please help?

Post Edited (Ninjuhh) : 24-01-2008 11:36:53 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 7:27 (GMT +1)

Hi Ninjuhh smurf

Click here - ->> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with AVG Anti-Spyware log, C: Rootlog TXT, C: combofix txt in this topic

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 7:34 (GMT +1)

It's installing SP3.

Is that okay?

Or does it have to be

SP1 or 2?

Post Edited (Ninjuhh) : 24-01-2008 06:46:26 GMT

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 7:53 (GMT +1)

What OS do You have ? If it is W2000, it´ll be ok

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 8:35 (GMT +1)

I'm almost finished scanning.

But,

" Post Hijackthis log along with AVG Anti-Spyware log, C: Rootlog TXT, C: combofix txt in this topic "

I dont understand how to do that?

Ive never used Hijackthis

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 8:57 (GMT +1)

Post the logs in this thread, using - Post reply - button

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 12:27 (GMT +1)

I cannot find the ComboFix.txt

But I have the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:25, on 2008-01-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\ALCWZRD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\HP_Owner.BETH.000\My Documents\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {89A1E40D-0254-4F99-B9AE-B60A2D8754A9} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSDrive] rundll32.exe C:\WINDOWS\system32\drvbeh.dll,startup
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvvad.dll,startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\HP_Owner.BETH.000\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9015 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 12:37 (GMT +1)

Open C: Combofix folder, and see if combofix txt are present there, if it is, please post it

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 12:46 (GMT +1)

Alright, I found it.

ComboFix 08-01-23.2 - HP_Owner 2008-01-24 4:51:45.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.258 [GMT -6:00]
Running from: C:\Documents and Settings\HP_Owner.BETH.000\My Documents\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Application Data\macromedia\Flash Player\#SharedObjects\AVLYL4BA\www.broadcaster.com
C:\Documents and Settings\HP_Owner.YOUR-27E1513D96\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Program Files\Common Files\{4B5CA~1
C:\Program Files\lsass.exe
C:\Program Files\WinBudget
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\awvtu.dll
C:\WINDOWS\system32\ddaby.dll
C:\WINDOWS\system32\drvbehr.dll
C:\WINDOWS\system32\drvdazr.dll
C:\WINDOWS\system32\drvzetr.dll
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\iifgfcy.dll
C:\WINDOWS\system32\ljjhigh.dll
C:\WINDOWS\system32\sstqr.dll
C:\WINDOWS\system32\vtstr.dll
C:\WINDOWS\system32\winzzc32.dll
C:\WINDOWS\system32\yayvsro.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 04:48 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 03:27 . 2007-05-30 06:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-24 01:59 . 2008-01-24 01:59 18,944 --a------ C:\WINDOWS\system32\drvvad.dll
2008-01-24 01:09 . 2008-01-24 01:09 <DIR> d-------- C:\Program Files\CCleaner
2008-01-24 00:07 . 2008-01-24 00:07 145 --a------ C:\WINDOWS\system32\winver.bat
2008-01-22 19:18 . 2008-01-22 19:18 103,936 --a------ C:\WINDOWS\system32\drvbeh.dll
2008-01-22 02:18 . 2008-01-22 02:18 2,275,840 --a------ C:\WINDOWS\system32\TUKernel.exe
2008-01-22 02:17 . 2008-01-22 02:17 103,936 --a------ C:\WINDOWS\system32\drvdaz.dll
2008-01-22 01:36 . 2008-01-22 01:36 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-01-22 01:36 . 2008-01-22 01:36 306,432 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-01-22 01:36 . 2007-12-20 10:41 29,440 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-22 01:35 . 2008-01-22 01:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-22 01:12 . 2008-01-22 01:12 103,936 --a------ C:\WINDOWS\system32\drvzet.dll
2008-01-20 03:54 . 2008-01-20 03:54 <DIR> d-------- C:\Program Files\shoutcASP
2008-01-20 03:54 . 2008-01-20 03:54 532,480 --a------ C:\WINDOWS\system32\ASPUtilityBelt.dll
2008-01-20 03:54 . 2008-01-20 03:54 353,280 --a------ C:\WINDOWS\system32\shoutcasp.dll
2008-01-19 22:54 . 2008-01-19 22:54 <DIR> d-------- C:\WINDOWS\system32\includes
2008-01-19 22:54 . 2008-01-19 22:54 1,056,768 --a------ C:\WINDOWS\system32\sppres.exe
2008-01-19 22:54 . 2008-01-19 22:54 20,480 --a------ C:\WINDOWS\system32\loaderybALT.exe
2008-01-19 22:53 . 2008-01-20 00:01 <DIR> d-------- C:\Program Files\iHabbix
2008-01-18 21:37 . 2008-01-18 21:37 6,279,168 --a------ C:\WINDOWS\system32\dwin.exe
2008-01-18 04:51 . 1998-06-17 00:00 385,100 --------- C:\WINDOWS\system32\MSVCRTD.DLL
2008-01-18 04:28 . 2008-01-20 00:08 <DIR> d-------- C:\Program Files\NewSoft
2008-01-18 04:28 . 2003-08-25 16:12 32,768 -ra------ C:\WINDOWS\system32\infcpy.dll
2008-01-08 22:17 . 2002-07-07 16:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-01-08 21:36 . 2008-01-15 22:44 <DIR> d-------- C:\Program Files\VstPlugins
2008-01-08 21:36 . 2006-06-20 02:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-01-08 21:33 . 2008-01-15 22:44 <DIR> d-------- C:\Program Files\Image-Line
2007-12-25 06:13 . 2007-12-25 06:13 <DIR> d-------- C:\Program Files\Picasa2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 07:58 --------- d-----w C:\Program Files\Free Offers from Freeze.com
2008-01-24 05:55 --------- d-----w C:\Program Files\ShortKeys2
2008-01-22 08:12 --------- d-----w C:\Program Files\Veo Digital Studio
2008-01-22 08:12 --------- d-----w C:\Program Files\Quicken
2008-01-22 08:12 --------- d-----w C:\Program Files\PC-Doctor 5 for Windows
2008-01-22 08:12 --------- d-----w C:\Program Files\MSN Encarta Standard
2008-01-22 08:12 --------- d-----w C:\Program Files\Microsoft Works
2008-01-22 08:12 --------- d-----w C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-01-22 08:12 --------- d-----w C:\Program Files\IntelliMover Data Transfer Demo
2008-01-22 08:12 --------- d-----w C:\Program Files\Easy Internet signup
2008-01-20 09:57 --------- d-----w C:\Program Files\Winamp
2008-01-20 06:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-04 11:27 --------- d-----w C:\Program Files\Common Files\Scanner
2007-12-29 08:11 --------- d-----w C:\Program Files\Corel
2007-12-29 08:11 --------- d-----w C:\Program Files\Common Files\Corel
2007-12-29 08:07 --------- d-----w C:\Program Files\BitLord
2007-12-17 04:32 --------- d-----w C:\Program Files\Yahoo!
2007-12-13 21:23 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-12 09:10 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-12 06:28 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-11 11:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-11 06:11 935,808 ----a-w C:\WINDOWS\system32\drivers\CamthWDM.sys
2007-11-27 12:10 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-25 09:47 --------- d-----w C:\Program Files\MSN Messenger
2007-11-25 09:46 --------- d-----w C:\Program Files\iTunes
2007-11-25 09:46 --------- d-----w C:\Program Files\iPod
2007-11-24 13:47 --------- d-----w C:\Program Files\QuickTime
2007-11-24 13:45 --------- d-----w C:\Program Files\Apple Software Update
2007-11-02 21:04 394 ----a-w C:\temp.dat
2006-01-04 00:17 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w           253,952 2005-05-11 00:50:42 C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe
----a-w           253,952 2005-05-11 00:50:42 C:\hp\drivers\hplsbwatcher\LSBurnWatcher.exe

----a-w 180,269 2005-11-01 23:52:52 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 180,269 2005-11-01 23:52:52 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 49,768 2007-01-09 01:03:20 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 218,240 2004-11-03 07:59:52 C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 171,448 2007-04-05 02:54:10 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 245,760 2005-02-26 06:34:02 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe
----a-w 245,760 2005-02-26 06:34:02 C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe

----a-w 49,152 2005-06-02 06:35:56 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe
----a-w 49,152 2005-06-02 06:35:56 C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

----a-w 49,152 2005-05-12 14:12:54 C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe
----a-w 49,152 2005-05-12 14:12:54 C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 256,576 2006-10-30 17:36:36 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 1,694,208 2004-10-13 23:24:38 C:\Program Files\Messenger\bak\msmsgs.exe
----a-w 1,694,208 2004-10-13 23:24:38 C:\Program Files\Messenger\msmsgs.exe

----a-w 282,624 2006-10-26 02:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-11-15 05:43:10 C:\Program Files\QuickTime\QTTask.exe

----a-w 100,048 2007-03-29 20:53:09 C:\Program Files\SymNetDrv\bak\SNDMon.exe

----a-w 4,662,776 2006-12-01 05:49:04 C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe
----a-w 4,670,704 2007-08-30 23:43:18 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89A1E40D-0254-4F99-B9AE-B60A2D8754A9}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-04-27 15:17 50736]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2005-02-26 00:34 245760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-11-01 17:52 180269]
"MSDrive"="C:\WINDOWS\system32\drvbeh.dll" [2008-01-22 19:18 103936]
"MSDisp32"="C:\WINDOWS\system32\drvvad.dll" [2008-01-24 01:59 18944]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 03:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-15 14:09 219136]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-09-17 08:19:14 147456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Aim6"="C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe
"My Web Search Community Tools"="C:\Program Files\MyWebSearch\bar\1.bin\m3IMPipe.exe"
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"AVG7_CC"=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"HPHUPD08"=c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe"
"KBD"=C:\HP\KBD\KBD.EXE
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"MSDrive"=rundll32.exe C:\WINDOWS\system32\drvdaz.dll,startup
"MyWebSearch Email Plugin"=C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
"My Web Search Bar Search Scope Monitor"="C:\PROGRA~1\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
"PCDrProfiler"=
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
"WinampAgent"="C:\Program Files\Winamp\winampa.exe"

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 06:00]
R3 DCamUSBVeo532;Veo Stingray/Connect Web Camera;C:\WINDOWS\system32\Drivers\ubVeo532.sys [2002-07-01 18:30]
R3 WlanUIG;2Wire 802.11g USB Driver;C:\WINDOWS\system32\DRIVERS\WlanUIG.sys [2004-05-16 18:46]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-22 01:36]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2d435b36-e506-11d9-9b78-e6b009352ae7}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

*Newly Created Service* - AVGASCLN
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 07:37:04 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-01-18 13:10:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-23 06:00:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 15:00:02 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 16:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 17:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-21 18:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-21 19:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-21 20:00:03 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-20 21:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-20 22:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-20 23:00:03 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 00:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 07:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 01:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 02:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 03:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 04:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 05:00:02 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 08:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 09:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 10:00:03 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-24 11:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 12:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 13:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2008-01-23 14:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\GvkqAIkW.exe
"2005-11-02 00:27:45 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 05:03:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\drvbeh.dll
-> C:\WINDOWS\system32\drvvad.dll
.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 1:02 (GMT +1)

Seems to You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.

* Click here to download FindAWF.exe and save it to your desktop.

Double-click on the FindAWF.exe file to run it.

It will open a command prompt and ask you to "Press any key to continue".

Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.

It may take a few minutes to complete so be patient.

When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.

Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 1:12 (GMT +1)

Woah.
Alright, I ran it.

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: 2008-01-24
The current time is: 6:07:29.93

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\ITUNES\BAK

2006-10-30 11:36 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

2004-10-13 17:24 1,694,208 msmsgs.exe
1 File(s) 1,694,208 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

2006-10-25 20:58 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

2007-03-29 14:53 100,048 SNDMon.exe
1 File(s) 100,048 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

2005-05-10 18:50 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2007-01-08 19:03 49,768 ccApp.exe
1 File(s) 49,768 bytes

Directory of C:\PROGRA~1\HEWLET~1\HPBOOT~1\BAK

2005-02-26 00:34 245,760 HPBootOp.exe
1 File(s) 245,760 bytes

Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK

2005-05-12 08:12 49,152 HPwuSchd2.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

2006-11-30 23:49 4,662,776 YahooMessenger.exe
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

2005-11-01 17:52 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

2004-11-03 01:59 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

2007-04-04 20:54 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\HP\DIGITA~1\{33D6C~1\BAK

2005-06-02 00:35 49,152 hphupd08.exe
1 File(s) 49,152 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

257088 Apr 27 2007 "C:\Program Files\iTunes\iTunesHelper.exe1178439951"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 May 2 2007 "C:\WINDOWS\Installer\{3592F5CB-B524-43AA-92F2-2377268199CC}\iTunesIco.exe"
102400 Jan 15 2007 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
102400 Mar 29 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
116288 Mar 14 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\msmsgs.exe"
1694208 Oct 13 2004 "C:\Program Files\Messenger\bak\msmsgs.exe"
1694208 Oct 13 2004 "C:\WINDOWS\$hf_mig$\KB887472\SP2QFE\msmsgs.exe"
286720 Nov 14 2007 "C:\Program Files\QuickTime\QTTask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
100048 Mar 29 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe1175214402"
253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
49768 Jan 8 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe"
245760 Feb 26 2005 "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak\HPBootOp.exe"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\HPwuSchd2.exe1175214402"
49152 May 12 2005 "C:\Program Files\HP\HP Software Update\bak\HPwuSchd2.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
6157816 Dec 20 2006 "C:\Program Files\Yahoo!\Yahoo! Music Jukebox\YahooMusicEngine.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
180269 Nov 1 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Nov 1 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Nov 3 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
52272 Jul 16 2007 "C:\Program Files\Google\googletoolbar3user.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138680 Jul 23 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Apr 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
49152 Jun 2 2005 "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak\hphupd08.exe"

end of report

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 3:40 (GMT +1)

Please double-click the FindAWF icon once again
This time we are going to remove some folders.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt

Click below the line and paste the following list of folders to be removed:
C:\Program Files\iTunes\bak
C:\Program Files\Messenger\bak
C:\Program Files\QuickTime\bak
C:\Program Files\SymNetDrv\bak
C\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Hewlett-Packard\HP Boot Optimizer\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Common Files\Symantec Shared\Security Center\bak
C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log in your reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 6:01 (GMT +1)

The current date is: 2008-01-24
The current time is: 10:47:38.54

bak folders found
~~~~~~~~~~~

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

2005-05-10 18:50 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2007-01-08 19:03 49,768 ccApp.exe
1 File(s) 49,768 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

2007-04-04 20:54 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

    253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe1175214402"
    253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
     49768 Jan 8 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
     52272 Jul 16 2007 "C:\Program Files\Google\googletoolbar3user.exe"
     68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    138680 Jul 23 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
    171448 Apr 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

end of report

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-24-2008 7:53 (GMT +1)

Please double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.

Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\Google\googletoolbar3user.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:

-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.

Please provide the new FindAWF log in your reply.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-24-2008 8:39 (GMT +1)

Thanks for all your help so far.
Here's the log

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: 2008-01-24
The current time is: 13:26:49.46

bak folders found
~~~~~~~~~~~

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

2005-05-10 18:50 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2007-01-08 19:03 49,768 ccApp.exe
1 File(s) 49,768 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

2007-04-04 20:54 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe1175214402"
253952 May 10 2005 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
49768 Jan 8 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
52272 Jul 16 2007 "C:\Program Files\Google\googletoolbar3user.exe"
68856 Jul 9 2007 "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
138680 Jul 23 2007 "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
171448 Apr 4 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

end of report

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14290

Posted 1-25-2008 7:06 (GMT +1)

Double-click the FindAWF icon once again.
Use the following option: Press 4 then Enter to reset domain zones.

When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Please download Free Version of Superantispyware

http://www.superantispyware.com/superantispywarefreevspro.html

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it.

close the program

Download DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

to your desktop.

Please print out or copy this page to Notepad as you will be in Safe Mode and unable to refer to this page.

Reboot to Safe mode

Doubleclick the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the Options->Change settings.

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename

Click – Apply - OK

Click on Scan Tab. Move dot from Express scan to Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Start Superantispyware.

Hit - Scan Your Computer - button

Click on the drive(s) you want to scan. Put a check in - Perform Complete Scan, then next,

it will scan now. When scan have finished, put a checkmark with all items it found. Next, after cleaning, allow it to Reboot

Start Superantispyware again –

Click Preferences and then click the statistics/logs tab.

Click the dated log and press view log and a text file will appear.

Post this log along with fresh hijackthis log, Dr.Web log, new combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Ninjuhh
New Member

Date Joined Jan 2008
Total Posts : 14

Posted 1-25-2008 11:54 (GMT +1)

During the Dr.Web scan, it froze on me.
I waited for about 10 minutes for it to un-freeze but it didn't.
So I restarted the computer, back into safe mode.
But during the first scan it found two Downloader Trojans.
And eight of Verduma?(Don't remeber the spelling, sorry)
l:
When I tried to scanned it again, it didn't find those. Only