Another Win 32:Trat BHO[Trj]

system · February 13, 2008, 5:58pm

Hi
I am new to this site. I have been getting this trojan horse warning for almost a month now and have just been deleting it everytime it comes up. Can someone please help me get rid of it permanently? Thanks. Here is my Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:18 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ThePort\XML Player\XMLplayer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F1E34EA-2BA3-4F3B-9F26-715731CB85D4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7CD02DF4-8ADA-4407-94E0-B6C328FF785F} - C:\Program Files\WindowsUpdate\hopetedC:\WINDOWS\system32\ip3\qopre83122.exe.dll (file missing)
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\hgghfef.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\system32\MSTMON_Y.EXE STARTUP
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: myRCI.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: hgghfef - C:\WINDOWS\SYSTEM32\hgghfef.dll
O20 - Winlogon Notify: yayyxww - yayyxww.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - America Online, Inc. - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

–
End of file - 6065 bytes

system · February 14, 2008, 5:45am

it looks like one of the suggested things to fix in your HJT report is a part of vundo (for the avast admins that would be O2 - BHO: (no name) - {FF64059D-4D2A-4D6B-AA0F-2EE4A2FE3856} - (no file) ). Don’t fix this yet, and you have some other items in your HJT report that will prolly need to be fixed later. For now, i would suggest downloading Superantispyware free version from this page: http://www.superantispyware.com/
Update it, Run a full scan, and see if it catches anything (only quarantine them though, do not delete them). Report back with what happens.

By then, the advast admins will prolly have posted more advice.

system · February 14, 2008, 5:23pm

Need help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:33:34 AM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Toj somewhere. Advast won’t delete it

system · February 14, 2008, 6:26pm

Thanks philly12. I downloaded superantispy software and ran a full scan. I now have 146 files in quarantine. The trojan horse warning has not shown up since. is there anything I need to do next? All help is appreciated.

system · February 14, 2008, 6:48pm

cheri2057 make a new post in the malware section of the forum. This is tomplat’s topic. Tomplat, you should post an updated HJT log.

system · February 14, 2008, 11:32pm

Thanks philly12. Here is the updated HJT log after doing the full scan with superantispyware:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:26:24 PM, on 2/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ThePort\XML Player\XMLplayer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F1E34EA-2BA3-4F3B-9F26-715731CB85D4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7CD02DF4-8ADA-4407-94E0-B6C328FF785F} - C:\Program Files\WindowsUpdate\hopetedC:\WINDOWS\system32\ip3\qopre83122.exe.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\system32\MSTMON_Y.EXE STARTUP
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: myRCI.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: yayyxww - yayyxww.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - America Online, Inc. - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

–
End of file - 6194 bytes

system · February 15, 2008, 1:11am

it looks like there still may be some bad things in your report. You will have to wait for an avast admin to confirm what to fix. I am thinking that most of those superantispyware files were just cookies correct? Were there any that were not cookies (including infected registry values and trojans)?

system · February 15, 2008, 3:40am

Hi philly12.
Of the 146 files quaranteed I can remember seeing 126 that were tracking cookies. While scanning more (agent) trojans were found in system restore and also system volume information files. Here is the list of Quarantine Items:

Adware.tracking cookie
Adware.vundo variant
Adware.vundo variant/Rel
Rogue.spydefender pro
Trojan.downloader-gen/MROFIN
Trojan.unclassified/Affliate Bundle
Unclassified.unknown origin
Winpup(comms.exe)

Thanks for now.

system · February 15, 2008, 12:55pm

Thanks ;D

system · February 17, 2008, 6:13pm

Does anyone have anymore suggestions on what to do next? Thanks.

oldman960 · February 19, 2008, 1:59pm

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer” and SDHelper if installed
click allow change
reboot

Open HJT, run a system scan only, check mark these lines if present

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {7CD02DF4-8ADA-4407-94E0-B6C328FF785F} - C:\Program Files\WindowsUpdate\hopetedC:\WINDOWS\system32\ip3\qopre83122.exe.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O20 - Winlogon Notify: yayyxww - yayyxww.dll (file missing)

Close all other browsers/windows, click fix, close HJT.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

system · February 19, 2008, 5:11pm

Thanks oldman.
Here are the logs you requested.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:16 AM, on 2/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\ThePort\XML Player\XMLplayer.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\system32\MSTMON_Y.EXE STARTUP
O4 - HKLM..\Run: [Windows Defender] “C:\Program Files\Windows Defender\MSASCui.exe” -hide
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Check Local Printer.lnk = C:\Program Files\KXP6X00\Chkpnt.exe
O4 - Global Startup: myRCI.lnk = C:\Program Files\ThePort\XML Player\XMLplayer.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra ‘Tools’ menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - America Online, Inc. - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

–
End of file - 5339 bytes

system · February 19, 2008, 5:24pm

Here’Combofix log:
ComboFix 08-02-13.2 - TOM 2008-02-19 11:32:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.221 [GMT -5:00]
Running from: C:\Documents and Settings\TOM\Desktop\ComboFix.exe

Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1201807837.old
C:\Program Files\WinBudget\bin\crap.1201815339.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1201815338.old
C:\Temp\tpBe12
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cghpugtc.ini
C:\WINDOWS\system32\dgjpvtew.ini
C:\WINDOWS\system32\fvhcgmhw.ini
C:\WINDOWS\system32\hiybiubw.ini
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\ityuurmi.ini
C:\WINDOWS\system32\jkoquogc.ini
C:\WINDOWS\system32\klnmp.ini
C:\WINDOWS\system32\naxadpyt.ini
C:\WINDOWS\system32\ojsdjgrh.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qfaqcrjc.ini
C:\WINDOWS\system32\sywdqmbh.ini
C:\WINDOWS\system32\unrjmuua.ini
C:\WINDOWS\system32\vjhdtyfa.ini
C:\WINDOWS\system32\wcfvrfyu.ini
C:\WINDOWS\system32\wetncosh.ini
C:\WINDOWS\system32\wncmhkml.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-14 11:49 . 2008-02-14 11:49 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-14 11:48 . 2008-02-14 22:19 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-14 11:48 . 2008-02-14 11:48 d-------- C:\Documents and Settings\TOM\Application Data\SUPERAntiSpyware.com
2008-02-14 11:47 . 2008-02-14 11:47 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-13 12:42 . 2008-02-13 12:42 d-------- C:\Program Files\Trend Micro
2008-02-13 12:10 . 2008-02-13 12:13 d-------- C:\WINDOWS\SxsCaPendDel
2008-02-09 22:13 . 2008-02-09 22:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-09 22:13 . 2008-02-09 22:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-05 13:44 . 2008-02-19 11:37 125 --a------ C:\portTuner.js
2008-02-05 11:58 . 2008-02-05 11:58 13 --a------ C:\WINDOWS\F500-027C-98FD-DA3F.dat
2008-01-30 22:56 . 2008-01-30 22:56 d-------- C:\WINDOWS\system32\bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 04:37 --------- d-----w C:\Program Files\Wisdom Quest
2008-02-10 03:28 --------- d-----w C:\Program Files\QuickTime
2008-02-10 03:13 --------- d-----w C:\Program Files\Wild Divine
2008-02-05 17:30 --------- d–h–w C:\Program Files\InstallShield Installation Information
2008-01-31 04:03 --------- d-----w C:\Program Files\Windows Defender
2008-01-31 04:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-01-31 04:03 --------- d-----w C:\Program Files\eMachines Bay Reader
2008-01-11 22:03 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-11 16:58 --------- d-----w C:\Program Files\Simply Accounting Basic 2007
2008-01-09 21:26 --------- d-----w C:\Program Files\ICQ
2007-12-20 23:38 --------- d-----w C:\Documents and Settings\TOM\Application Data\Sammsoft
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 39,792 2007-10-11 00:51:56 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w 39,792 2008-01-12 03:16:38 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-12-04 13:00:23 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-w 135,168 2004-03-12 12:18:54 C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe
----a-w 14,348 2008-01-31 04:01:27 C:\Program Files\eMachines Bay Reader\shwiconem.exe

----a-w 98,304 2004-12-29 02:01:54 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 98,304 2008-02-10 03:27:20 C:\Program Files\QuickTime\qttask.exe

----a-w 1,415,824 2005-05-31 05:04:00 C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
----a-w 14,348 2008-01-31 04:01:27 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

----a-w 866,584 2006-11-04 00:20:12 C:\Program Files\Windows Defender\bak\MSASCui.exe
----a-w 14,348 2008-01-31 04:01:27 C:\Program Files\Windows Defender\MSASCui.exe

----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 07:56:48 C:\WINDOWS\system32\ctfmon.exe

----a-w 118,784 2004-01-30 16:13:00 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 14,348 2008-01-31 04:01:27 C:\WINDOWS\system32\hkcmd.exe

----a-w 155,648 2004-01-30 16:13:24 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 14,348 2008-01-31 04:01:27 C:\WINDOWS\system32\igfxtray.exe

----a-w 184,320 2006-01-18 02:10:44 C:\WINDOWS\system32\bak\MSTMON_Y.EXE
----a-w 14,348 2008-01-31 04:01:27 C:\WINDOWS\system32\MSTMON_Y.EXE

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

system · February 19, 2008, 5:27pm

Here’s the rest of the combofix log:
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 02:56 15360]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“SunKistEM”=“C:\Program Files\eMachines Bay Reader\shwiconem.exe” [2008-01-30 23:01 14348]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]
“KONICA MINOLTA PagePro 1400W STD”=“C:\WINDOWS\system32\MSTMON_Y.exe” [2008-01-30 23:01 14348]
“Windows Defender”=“C:\Program Files\Windows Defender\MSASCui.exe” [2008-01-30 23:01 14348]
“HotKeysCmds”=“C:\WINDOWS\System32\hkcmd.exe” [2008-01-30 23:01 14348]
“IgfxTray”=“C:\WINDOWS\System32\igfxtray.exe” [2008-01-30 23:01 14348]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2008-02-09 22:27 98304]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2008-01-11 22:16 39792]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“RunNarrator”=“Narrator.exe” [2004-08-04 02:56 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-05-01 13:09:15 1742384]
Check Local Printer.lnk - C:\Program Files\KXP6X00\Chkpnt.exe [2005-03-20 20:34:01 28672]
myRCI.lnk - C:\Program Files\ThePort\XML Player\XMLplayer.exe [2006-07-05 12:26:40 1258800]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2002-12-17 17:23:32 74308]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e000e16c]
C:\WINDOWS\system32\typdaxan.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyDefender Shield]
C:\Program Files\SpyDefender Pro\SpyDefender.exe

R1 KMWSLPT;KMWSLPT;C:\WINDOWS\System32\drivers\KMWSLPT.sys [1999-10-17 15:33]

.
Contents of the ‘Scheduled Tasks’ folder
“2008-02-19 16:39:50 C:\WINDOWS\Tasks\MP Scheduled Scan.job”

C:\Program Files\Windows Defender\MpCmdRun.exe
“2008-02-19 16:36:47 C:\WINDOWS\Tasks\RegCure Program Check.job”
C:\Program Files\RegCure\RegCure.exe
“2007-10-24 14:30:44 C:\WINDOWS\Tasks\RegCure.job”
C:\Program Files\RegCure\RegCure.exe
.

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 11:37:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.

.
Completion time: 2008-02-19 11:41:16 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 16:41:06
.
2008-02-15 02:38:18 — E O F —

oldman960 · February 20, 2008, 12:35am

Please download FindAWF and save it to your desktop

Double-click the FindAWF icon

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter, to restore files from bak folders[/b]

A text file opens called: files.txt
Copy and paste all the lines in bold into files.txt

C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe
C:\Program Files\Windows Defender\bak\MSASCui.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\bak\MSTMON_Y.EXE

Next, close the notepad and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

system · February 20, 2008, 3:11am

Thanks, here’s the FindAWF log:

The current date is: Tue 02/19/2008
The current time is: 22:03:12.65

bak folders found



Directory of C:\PROGRA~1\EMACHI~1\BAK

03/12/2004  07:18 AM           135,168 shwiconem.exe
             1 File(s)        135,168 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

12/28/2004  09:01 PM            98,304 qttask.exe
             1 File(s)         98,304 bytes

Directory of C:\PROGRA~1\SPYBOT~1\BAK

05/31/2005  12:04 AM         1,415,824 TeaTimer.exe
             1 File(s)      1,415,824 bytes

Directory of C:\PROGRA~1\WINDOW~4\BAK

11/03/2006  07:20 PM           866,584 MSASCui.exe
             1 File(s)        866,584 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004  02:56 AM            15,360 ctfmon.exe
01/30/2004  11:13 AM           118,784 hkcmd.exe
01/30/2004  11:13 AM           155,648 igfxtray.exe
01/17/2006  09:10 PM           184,320 MSTMON_Y.EXE
             4 File(s)        474,112 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

12/04/2007  08:00 AM            79,224 ashDisp.exe
             1 File(s)         79,224 bytes

Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007  07:51 PM            39,792 Reader_sl.exe
             1 File(s)         39,792 bytes


Duplicate files of bak directory contents

 14348 Jan 30 2008 "C:\Program Files\eMachines Bay  Reader\shwiconem.exe"
135168 Mar 12 2004 "C:\Program Files\eMachines Bay  Reader\bak\shwiconem.exe"
 98304 Feb  9 2008 "C:\Program Files\QuickTime\qttask.exe"
 77824 Oct  1 2004 "C:\OldDrive\WINDOWS\SYSTEM\qttask.exe"
 98304 Dec 28 2004 "C:\Program Files\QuickTime\bak\qttask.exe"
 14348 Jan 30 2008 "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

1415824 May 31 2005 “C:\Program Files\Spybot - Search & Destroy\bak\TeaTimer.exe”
14348 Jan 30 2008 “C:\Program Files\Windows Defender\MSASCui.exe”
866584 Nov 3 2006 “C:\Program Files\Windows Defender\bak\MSASCui.exe”
15360 Aug 4 2004 “C:\WINDOWS\system32\ctfmon.exe”
15360 Aug 4 2004 “C:\WINDOWS\system32\bak\ctfmon.exe”
118784 Jan 30 2004 “C:\WINDOWS\system32\hkcmd.exe”
118784 Jan 30 2004 “C:\Drivers\Video\Win2000\hkcmd.exe”
118784 Jan 30 2004 “C:\WINDOWS\system32\bak\hkcmd.exe”
118784 Jan 30 2004 “C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\hkcmd.exe”
155648 Jan 30 2004 “C:\WINDOWS\system32\igfxtray.exe”
155648 Jan 30 2004 “C:\Drivers\Video\Win2000\igfxtray.exe”
155648 Jan 30 2004 “C:\WINDOWS\system32\bak\igfxtray.exe”
155648 Jan 30 2004 “C:\WINDOWS\system32\ReinstallBackups\0011\DriverFiles\igfxtray.exe”
184320 Jan 17 2006 “C:\WINDOWS\system32\MSTMON_Y.EXE”
184320 Jan 17 2006 “C:\WINDOWS\system32\bak\MSTMON_Y.EXE”
79224 Dec 4 2007 “C:\Program Files\Alwil Software\Avast4\ashDisp.exe”
79224 Dec 4 2007 “C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe”
39792 Jan 11 2008 “C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe”
39792 Oct 10 2007 “C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe”

end of report

oldman960 · February 20, 2008, 6:39am

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt

Please copy and paste the bold text below into the folder.txt

C:\PROGRA~1\EMACHI~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\PROGRA~1\SPYBOT~1\BAK
C:\PROGRA~1\WINDOW~4\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\ALWILS~1\AVAST4\BAK
C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\typdaxan.dll
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e000e16c]

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

note when doing the combofix fix

A window may open with a warning. Type “1” (and Enter) to start the fix. When the scan completes Notepad will open with with your results log open. Click File, click Exit and answer ‘Yes’ to save changes

system · February 20, 2008, 7:17pm

Thanks, here’s the 3 logs you requested:

oldman960 · February 21, 2008, 2:02am

Well, this is kind of unusual. Everything seems to have gone well except we have an extra version of one file running.

We’ll test them and see what they come back as.

Please submit these files for analysis

To submit a file to virustoal, please click om this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\eMachines Bay Reader\bak\shwiconem.exe

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

system · February 21, 2008, 4:30am

Here’s the first file result eMachines Bay Reader\schwiconem.exe:
File shwiconem.exe received on 02.21.2008 05:09:31 (CET)
Result: 22/32 (68.75%)
Loading server information…
Your file is queued in position: 10.

Antivirus Version Last Update Result
AhnLab-V3 2008.2.20.0 2008.02.20 Win-Trojan/Killav.14348
AntiVir 7.6.0.67 2008.02.20 TR/Killav.oe
Authentium 4.93.8 2008.02.21 -
Avast 4.7.1098.0 2008.02.20 -
AVG 7.5.0.516 2008.02.21 Downloader.Generic6.AGDE
BitDefender 7.2 2008.02.21 Trojan.Downloader.JJNE
CAT-QuickHeal 9.50 2008.02.20 Win32.Trojan.KillAV.oe
ClamAV 0.92.1 2008.02.21 Trojan.Downloader-23242
DrWeb 4.44.0.09170 2008.02.20 Trojan.DownLoader.46262
eSafe 7.0.15.0 2008.02.20 -
eTrust-Vet 31.3.5551 2008.02.21 -
Ewido 4.0 2008.02.20 -
FileAdvisor 1 2008.02.21 -
Fortinet 3.14.0.0 2008.02.19 -
F-Prot 4.4.2.54 2008.02.20 W32/KillAV.C.gen!Eldorado
F-Secure 6.70.13260.0 2008.02.21 W32/Zonebac.gen2
Ikarus T3.1.1.20 2008.02.21 Trojan.Win32.KillAV.oe
Kaspersky 7.0.0.125 2008.02.21 Trojan.Win32.KillAV.oe
McAfee 5234 2008.02.20 Generic Downloader.af
Microsoft 1.3204 2008.02.20 Backdoor:Win32/Zonebac.gen!F
NOD32v2 2891 2008.02.21 a variant of Win32/KillAV.OE
Norman 5.80.02 2008.02.20 W32/Zonebac.gen2
Panda 9.0.0.4 2008.02.20 Trj/Downloader.SLJ
Prevx1 V2 2008.02.21 Trojan.Nudos
Rising 20.32.22.00 2008.02.20 -
Sophos 4.26.0 2008.02.21 -
Sunbelt 3.0.884.0 2008.02.19 -
Symantec 10 2008.02.21 Trojan.Zonebac
TheHacker 6.2.9.225 2008.02.21 Trojan/KillAV.oe
VBA32 3.12.6.1 2008.02.17 Trojan.Win32.KillAV.oe
VirusBuster 4.3.26:9 2008.02.20 Trojan.Killav.NS
Webwasher-Gateway 6.6.2 2008.02.20 Trojan.Killav.oe
Additional information
File size: 14348 bytes
MD5: ed4a836e7f0276765bd88ac29ff69ee1
SHA1: 6ad8be622fbe480eac01b14eaeca59036fa497a0
PEiD: -
Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=CC9EFC960C57C28638680048380C89006518478C

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

Another Win 32:Trat BHO[Trj]

Announcements