Please help, a couple of trojans

system · October 4, 2007, 4:03am

Hi
I’m not an avast user…yet. This site was recommended to me as a great place for help.

A couple of days ago, I was hit with w32:checkout. When I saw something was going on, I got off line and ran a scan with mcafee. It found and quarinted the bug. I turned off system restore, rebooted and rescanned. the system showed clean. Created a new restore point and scanned with avg anti spyware and sas. Neither found much other than cookies and a toolbar which has weater reports.

avg (without cookies)

C:\Program Files\HbTools\HBTV\HBTV.exe → Adware.180Solutions : Ignored.
C:\Program Files\HbTools\HBTV\uninstaller.exe → Adware.180Solutions : Ignored.
C:\Program Files\HbTools\Bin\4.8.4.0\Cml.exe → Adware.HotBar : Ignored.
C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll → Adware.HotBar : Ignored.
C:\Program Files\HbTools\Bin\4.8.4.0\HbtSrv.exe → Adware.Hotbar : Ignored.
C:\Program Files\HbTools\Bin\4.8.4.0\HbtWallpaper.dll → Adware.Hotbar : Ignored.
C:\Program Files\HbTools\HBTV\HBTVHelper.dll → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand.1 → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CLSID → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbTools.HbtCommBand\CurVer → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtHostIE.Bho → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtHostIE.Bho.1 → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CLSID → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtHostIE.Bho\CurVer → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices.1 → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CLSID → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtSrv.HbtCoreServices\CurVer → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtTools.HbMain → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtTools.HbMain.1 → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CLSID → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Classes\HbtTools.HbMain\CurVer → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\HbTools → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\HbTools\Install → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\HbTools\PI → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\HbTools\PI\3.2 → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\Install → Adware.HotBar : Ignored.
HKLM\SOFTWARE\HbTools\Install\CmpMap → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HbToolsOutlookTools → Adware.HotBar : Ignored.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HbToolsWebTools → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\HbTools → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\HbTools\options → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\HbTools\updates → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\Time → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\Time\HostIE → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1006\Software\HbTools\Time\HostIE\updates → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\HbTools → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\HbTools\MultiUrl → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\HbTools\mail → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\HbTools\options → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\HbTools\updates → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\Time → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\Time\HostIE → Adware.HotBar : Ignored.
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\HbTools\Time\HostIE\updates → Adware.HotBar : Ignored.

sas (without cookies)

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/02/2007 at 04:35 PM

Application Version : 3.9.1008

Core Rules Database Version : 3317
Trace Rules Database Version: 1318

Scan type : Complete Scan
Total Scan Time : 00:30:39

Memory items scanned : 809
Memory threats detected : 0
Registry items scanned : 7272
Registry threats detected : 49
File items scanned : 50478
File threats detected : 569

Adware.HotBar/SpamBlockerUtility (Low Risk)
HKLM\Software\Classes\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\InprocServer32
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\InprocServer32#ThreadingModel
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\ProgID
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\Programmable
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\TypeLib
HKCR\CLSID{74CC49F7-EB32-4A08-B204-948962A6E3DB}\VersionIndependentProgID
C:\PROGRAM FILES\HBTOOLS\BIN\4.8.4.0\HBTHOSTIE.DLL
HKLM\Software\Classes\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Control
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Implemented Categories
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Implemented Categories{00021494-0000-0000-C000-000000000046}
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\InprocServer32
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\InprocServer32#ThreadingModel
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Instance
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Instance#CLSID
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Instance\InitPropertyBag
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Instance\InitPropertyBag#Url
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\MiscStatus
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\MiscStatus\1
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\ProgID
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Programmable
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\ToolboxBitmap32
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\TypeLib
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\Version
HKCR\CLSID{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}\VersionIndependentProgID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{74CC49F7-EB32-4A08-B204-948962A6E3DB}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{74CC49F7-EB32-4A08-B204-948962A6E3DB}
HKCR\HbtHostIE.Bho.1
HKCR\HbtHostIE.Bho.1\CLSID
HKCR\HbtHostIE.Bho
HKCR\HbtHostIE.Bho\CLSID
HKCR\HbtHostIE.Bho\CurVer
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}\1.0
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}\1.0\0
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}\1.0\0\win32
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}\1.0\FLAGS
HKCR\TypeLib{45397063-D7D0-47C2-9508-26487608A298}\1.0\HELPDIR
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}
HKU\S-1-5-21-2826111230-2069346872-300340464-1007\Software\Microsoft\Internet Explorer\Explorer Bars{7E66936C-FEA0-4984-AD26-7B6661AC5B2E}

Adware.Zango Toolbar/Hb
HKCR\Wallpaper.WallpaperManager
HKCR\Wallpaper.WallpaperManager\CLSID
HKCR\Wallpaper.WallpaperManager\CurVer
HKCR\Wallpaper.WallpaperManager.1
HKCR\Wallpaper.WallpaperManager.1\CLSID

Adware.HotBar (Low Risk)
C:\PROGRAM FILES\HBTOOLS\BIN\4.8.4.0\HBTSRV.EXE
C:\PROGRAM FILES\HBTOOLS\BIN\HBTUNINST.EXE

system · October 4, 2007, 4:11am

I ran highjackthis and found funweb product. I noticed some strange file names, highlighted in red

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:00 PM, on 10/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\awjtcurhkn.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\wkssvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Documents and Settings\Margaret\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5061101
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5061101
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: HbTools - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [CTDVDDET] “C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE”
O4 - HKLM..\Run: [VolPanel] “C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe” /r
O4 - HKLM..\Run: [AudioDrvEmulator] “C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe” -1 AudioDrvEmulator “C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll”
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [Microsoft Spooler] wkssvc.exe
O4 - HKLM..\Run: [kreu] C:\WINDOWS\system32\kreu.exe
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [awjtcurhkn] C:\WINDOWS\system32\awjtcurhkn.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [SRS Audio Sandbox] “C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe” /hideme
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.03\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 4.03\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

system · October 4, 2007, 4:15am

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Margaret\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162942287093
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (i3ai7dqguap) - Unknown owner - C:\WINDOWS\system32\kreu.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

system · October 4, 2007, 4:23am

I tried to submit the files to virustotal, krue.exe can back as trojan, while awjtcurhkn.exe wouldn’t upload, said 0 bytes. It shows in explorer as the same size as krue, 104448 bytes.

virustotal scan

Antivirus Version Last Update Result
AhnLab-V3 2007.10.3.0 2007.10.02 Win32/IRCBot.worm.variant
AntiVir 7.6.0.18 2007.10.03 -
Authentium 4.93.8 2007.10.03 W32/Ircbot.YO
Avast 4.7.1051.0 2007.10.03 -
AVG 7.5.0.488 2007.10.03 Downloader.Generic6.LCG
BitDefender 7.2 2007.10.03 Backdoor.IRCBot.ABFU
CAT-QuickHeal 9.00 2007.10.03 -
ClamAV 0.91.2 2007.10.03 Trojan.IRCBot-1185
DrWeb 4.44.0.09170 2007.10.03 Trojan.Spambot.2464
eSafe 7.0.15.0 2007.10.02 -
eTrust-Vet 31.2.5183 2007.10.03 Win32/Pinsool.A
Ewido 4.0 2007.10.03 -
FileAdvisor 1 2007.10.04 -
Fortinet 3.11.0.0 2007.10.03 -
F-Prot 4.3.2.48 2007.10.03 W32/Ircbot.YO
F-Secure 6.70.13030.0 2007.10.04 W32/Agent.CPRW
Ikarus T3.1.1.12 2007.10.04 Trojan.Win32.Pakes.de
Kaspersky 7.0.0.125 2007.10.04 -
McAfee 5133 2007.10.03 -
Microsoft 1.2908 2007.10.04 Backdoor:Win32/Oderoor.B
NOD32v2 2569 2007.10.03 Win32/IRCBot.ZL
Norman 5.80.02 2007.10.03 W32/Agent.CPRW
Panda 9.0.0.4 2007.10.04 Trj/Agent.GQX
Prevx1 V2 2007.10.04 Browser Based Pereni:Trojan-Numerates
Rising 19.43.20.00 2007.10.03 -
Sophos 4.22.0 2007.10.03 -
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 Backdoor.Win32.IRCBot.aiu
VirusBuster 4.3.26:9 2007.10.03 Backdoor.IRCBot.BGG
Webwasher-Gateway 6.0.1 2007.10.03 -
Additional information
File size: 104448 bytes
MD5: fff4769d85561b62cbbd6af363c47d0a
SHA1: bf0798cc91015016c985defa80dbc15f4dc68701
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=6E0FB8A0007DD73B9834013BBBBB5B009D730CFE

I realize it’s running as service, but i’m not sure hoe to deal with it, as this gets more interesting.

system · October 4, 2007, 4:31am

I thought I would clean webfun out before posting this. After removing funweb, I ran hjt again. Some of the file name where changed, others where added.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:01:18 PM, on 10/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wkssvc.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HiJackThis\hijackmaggie.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5061101
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5061101
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: HbTools - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll (file missing)
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [CTDVDDET] “C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE”
O4 - HKLM..\Run: [VolPanel] “C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe” /r
O4 - HKLM..\Run: [AudioDrvEmulator] “C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe” -1 AudioDrvEmulator “C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll”
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [Microsoft Spooler] wkssvc.exe
O4 - HKLM..\Run: [kreu] C:\WINDOWS\system32\kreu.exe

system · October 4, 2007, 4:32am

O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [awjtcurhkn] C:\WINDOWS\system32\awjtcurhkn.exe
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SRS Audio Sandbox] “C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe” /hideme
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-2826111230-2069346872-300340464-1006..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User ‘Derrick’)
O4 - HKUS\S-1-5-21-2826111230-2069346872-300340464-1006..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup (User ‘Derrick’)
O4 - HKUS\S-1-5-21-2826111230-2069346872-300340464-1006..\Run: [msnmsgr] “C:\Program Files\MSN Messenger\msnmsgr.exe” /background (User ‘Derrick’)
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.03\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 4.03\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Margaret\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162942287093
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (i3ai7dqguap) - Unknown owner - C:\WINDOWS\system32\fkclipclzoz.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

–
End of file - 14411 bytes

system · October 4, 2007, 4:41am

I scanned wkssvc.exe

Antivirus Version Last Update Result
AhnLab-V3 2007.10.3.0 2007.10.02 Win32/IRCBot.worm.51200.N
AntiVir 7.6.0.18 2007.10.03 Worm/IrcBot.51200.13
Authentium 4.93.8 2007.10.03 -
Avast 4.7.1051.0 2007.10.03 Win32:Ircbot-CFW
AVG 7.5.0.488 2007.10.03 BackDoor.Ircbot.BPS
BitDefender 7.2 2007.10.03 Backdoor.IRCBot.ABFR
CAT-QuickHeal 9.00 2007.10.03 Backdoor.IRCBot.baq
ClamAV 0.91.2 2007.10.04 Trojan.IRCBot-1167
DrWeb 4.44.0.09170 2007.10.03 BackDoor.IRC.Suicide
eSafe 7.0.15.0 2007.10.02 Win32.IRCBot.ahm
eTrust-Vet 31.2.5183 2007.10.03 -
Ewido 4.0 2007.10.03 -
FileAdvisor 1 2007.10.04 -
Fortinet 3.11.0.0 2007.10.03 W32/IRCBot.AHM!tr.bdr
F-Prot 4.3.2.48 2007.10.03 -
F-Secure 6.70.13030.0 2007.10.04 Backdoor.Win32.IRCBot.ahm
Ikarus T3.1.1.12 2007.10.04 Backdoor.Win32.IRCBot.ahm
Kaspersky 7.0.0.125 2007.10.04 Backdoor.Win32.IRCBot.ahm
McAfee 5133 2007.10.03 -
Microsoft 1.2908 2007.10.04 Trojan:Win32/DelfInject.gen!D
NOD32v2 2569 2007.10.03 Win32/IRCBot
Norman 5.80.02 2007.10.03 DLoader.DRKO
Panda 9.0.0.4 2007.10.04 Trj/Agent.GNN
Prevx1 V2 2007.10.04 Worm.DREFIR.D
Rising 19.43.20.00 2007.10.03 -
Sophos 4.22.0 2007.10.04 W32/IRCBot-XX
Sunbelt 2.2.907.0 2007.10.04 -
Symantec 10 2007.10.04 -
TheHacker 6.2.6.076 2007.10.03 -
VBA32 3.12.2.4 2007.10.03 Backdoor.Win32.IRCBot.ahm
VirusBuster 4.3.26:9 2007.10.03 Backdoor.IRCBot.BFL
Webwasher-Gateway 6.0.1 2007.10.03 Worm.IrcBot.51200.13
Additional information
File size: 51200 bytes
MD5: b03273734a1670aaa20039b249058137
SHA1: fa57cb0ba2b8fe74472198c0a128d48b630fec5b

I never bothered with fkclipclzoz.exe It seems like it would probably be the same detection.

Some thing is going on, as mcafee again detected w32:checkout. I haven’t used messenger for a while. BTW, I cleaned the temp files before clearing out the system restore points mentioned in the first post.

I’m sorry for the long post, I just wanted to be kind of prepared.

Thanks

system · October 4, 2007, 5:32am

Hi maggie. Welcome to the forum. We’ll make you an avast! convert in no time

There are still traces of adware in your log so we’ll after that and the trojans. This will take a few steps.

Please download OTMoveIt by OldTimer. Save it to your desktop - we will use it shortly.

Now open HJT and click to Do a System Scan Only. When complete place a check mark next to these lines
[b]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://resultsmaster.com/SmartOffers/Services/resultsmaster/ResultsMasterHomeLeftPane.htm

O2 - BHO: TVEngine Helper - {4B18DD50-C996-44fc-AC52-0FECFF82ED58} - c:\program files\hbtools\hbtv\hbtvhelper.dll (file missing)

O2 - BHO: HbTools - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll (file missing)

O3 - Toolbar: H&otbar - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\Program Files\HbTools\Bin\4.8.4.0\HbtHostIE.dll (file missing)

O4 - HKLM..\Run: [Microsoft Spooler] wkssvc.exe

O4 - HKLM..\Run: [kreu] C:\WINDOWS\system32\kreu.exe

O4 - HKLM..\Run: [awjtcurhkn] C:\WINDOWS\system32\awjtcurhkn.exe

O23 - Service: Print Spooler Service (i3ai7dqguap) - Unknown owner - C:\WINDOWS\system32\fkclipclzoz.exe
[/b]
Close all other windows, including your browser, and click Fix Checked. Close HJT.

Open Add/Remove Programs in the Control Panel and uninstall any of the following that you find:

My Web Search
My Way Speedbar
Search Assistant - My Way
Hotbar Web Tools
Hotbar Outlook Tools
Shopper Reports by Hotbar

Edit: Also let me know if you see any unusual programs you don’t recognize.

Next, double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

c:\program files\hbtools
C:\WINDOWS\system32\ wkssvc.exe
C:\WINDOWS\system32\kreu.exe
C:\WINDOWS\system32\awjtcurhkn.exe
C:\WINDOWS\system32\fkclipclzoz.exe

Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Now download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix’s window while its running. That may cause it to stall.

system · October 5, 2007, 2:19am

Thank you for the help and the welcome to the forum.
Found file wkssvc.exe and awjtcurhkn.exe in start up files.
Before I could do anything someone(my husband)uninstalled msn messenger and quick time. The files were no longer in started up after he unistalled those programs.
When i did the hjt fix kreu.exe and awjtcurhkn.exe were not found.When I did the add/remove the hotbar tools tried to open a browser.
After combofix ran macfee advised me with registry console tool was trying to make changes in internet explorer restrictions-c:\windows\system32\reg.exe i was not sure what to do so i allowed it to because the registry tool is a legitimate program. mistake???
Did not find any unusual programs in add/remove

moveit
Folder c:\program files\hbtools\ not found.
c:\windows\system32\wkssvc.exe moved successfully.
File/Folder c:\windows\system32\kreu.exe not found.
File/Folder c:windows\system32\awjtcurhkn.exe not found.
File/Folder c:\windows\system32\fkclipclzoz.exe not found.

Created on 10/04/2007 19:05:44

system · October 5, 2007, 2:26am

combofix
ComboFix 07-10-04.6 - Margaret 2007-10-04 19:12:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1508 [GMT -6:00]
Running from: C:\Documents and Settings\Margaret\Desktop\ComboFix.exe

Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Hotbar
C:\WINDOWS\system32\p.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-05 to 2007-10-05 )))))))))))))))))))))))))))))))
.

2007-10-04 19:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-04 17:51 d-------- C:\WINDOWS\SxsCaPendDel
2007-10-03 19:43 d–h----- C:\WINDOWS\PIF
2007-10-03 06:07 104,448 --a------ C:\WINDOWS\system32\jcq.exe
2007-10-02 20:03 104,448 --a------ C:\WINDOWS\system32\pidogjbyxbqf.exe
2007-10-01 21:51 104,448 --a------ C:\WINDOWS\system32\mjeoc.exe
2007-10-01 20:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-01 20:50 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-01 20:50 d-------- C:\Documents and Settings\Margaret\Application Data\SUPERAntiSpyware.com
2007-10-01 20:50 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-01 04:16 104,448 --a------ C:\WINDOWS\system32\nttbjirnrqd.exe
2007-09-27 02:49 104,448 --a------ C:\WINDOWS\system32\gjlz.exe
2007-09-26 20:13 104,448 --a------ C:\WINDOWS\system32\ggn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-10-04 17:53 --------- d-------- C:\Program Files\McAfee
2007-10-04 17:50 --------- d-------- C:\Program Files\MSN Messenger
2007-10-02 22:04 --------- d-------- C:\Documents and Settings\Margaret\Application Data\Corel
2007-10-01 20:49 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-19 09:08 --------- d-------- C:\Program Files\LimeWire
2007-08-28 14:17 --------- d-------- C:\Program Files\TELUS eCare
2007-08-28 14:17 --------- d-------- C:\Program Files\Common Files\Motive
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-19 00:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts\RandFont.dll

system · October 5, 2007, 2:30am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 14:01]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-16 08:39]
“CTHelper”=“CTHELPER.EXE” [2005-11-08 05:30 C:\WINDOWS\CTHELPER.EXE]
“CTxfiHlp”=“CTXFIHLP.EXE” [2006-03-01 21:00 C:\WINDOWS\system32\CTXFIHLP.EXE]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2006-07-06 07:15]
“DMXLauncher”=“C:\Program Files\Dell\Media Experience\DMXLauncher.exe” [2006-05-03 04:12]
“CTDVDDET”=“C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE” [2003-06-18 01:00]
“VolPanel”=“C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe” [2005-10-14 11:01]
“AudioDrvEmulator”=“C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe” [2005-11-04 18:07]
“UpdReg”=“C:\WINDOWS\UpdReg.EXE” [2000-05-11 01:00]
“DLA”=“C:\WINDOWS\System32\DLA\DLACTRLW.EXE” [2005-09-08 05:20]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 16:50]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 16:50]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2006-11-14 20:49]
“HP Software Update”=“C:\Program Files\HP\HP Software Update\HPWuSchd2.exe” [2006-02-19 03:41]
“Motive SmartBridge”=“C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe” [2006-12-09 08:12]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-04-27 11:25]
“mcagent_exe”=“C:\Program Files\McAfee.com\Agent\mcagent.exe” [2007-08-04 02:33]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe” [2007-07-12 04:00]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 03:25]
“MSConfig”=“C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe” [2005-09-26 18:34]
“Corel Photo Downloader”=“C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe” [2007-02-06 11:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 05:00]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” [2006-07-16 21:29]
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-06-20 06:43]
“SRS Audio Sandbox”=“C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
“HbTools”=cmd /c “rmdir “C:\Program Files\HbTools” /s /q”

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-11-01 22:08:07]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
TELUS eCare.lnk - C:\Program Files\TELUS eCare\bin\matcli.exe [2006-12-08 10:05:11]

system · October 5, 2007, 2:32am

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=“”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=“”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Margaret^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Margaret\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg!AVG Anti-Spyware]
“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
“C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1162440637\EE\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
“C:\Program Files\QuickTime\qttask.exe” -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys
S2 i3ai7dqguap;Print Spooler Service;C:\WINDOWS\system32\fkclipclzoz.exe /service
S3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

Newly Created Service - CATCHME
.
Contents of the ‘Scheduled Tasks’ folder
“2007-10-02 05:12:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”
“2007-09-15 07:24:08 C:\WINDOWS\Tasks\McDefragTask.job”

c:\program files\mcafee\mqc\QcConsol.exe
“2007-10-01 07:00:00 C:\WINDOWS\Tasks\McQcTask.job”
c:\program files\mcafee\mqc\QcConsol.exe
.

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 19:15:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files …

.
Completion time: 2007-10-04 19:16:31
C:\ComboFix-quarantined-files.txt … 2007-10-04 19:15
.
— E O F —

system · October 5, 2007, 2:38am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:01:52 PM, on 10/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\TELUS eCare\bin\mpbtn.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HiJackThis\hijackmaggie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5061101
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [CTDVDDET] “C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE”
O4 - HKLM..\Run: [VolPanel] “C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe” /r
O4 - HKLM..\Run: [AudioDrvEmulator] “C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe” -1 AudioDrvEmulator “C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll”
O4 - HKLM..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe”
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM..\RunOnce: [HbTools] cmd /c “rmdir “C:\Program Files\HbTools” /s /q”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SRS Audio Sandbox] “C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe” /hideme
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: Add to AMV Converter… - C:\Program Files\MP3 Player Utilities 4.03\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager… - C:\Program Files\MP3 Player Utilities 4.03\MediaManager\grab.html

system · October 5, 2007, 2:39am

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Margaret\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {40272BF7-4FF5-4D6F-9BAD-3C1D3CB32982} (Live365PlayerVIP Class) - http://www.live365.com/players/p365vip.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162942287093
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Print Spooler Service (i3ai7dqguap) - Unknown owner - C:\WINDOWS\system32\fkclipclzoz.exe (file missing)
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

–
End of file - 12927 bytes

system · October 5, 2007, 3:28am

Just going through the logs now. Give me a few minutes.

What you’ve done is fine and you needn’t worry about the McAfee warning. ComboFix acts in many ways like a trojan the way it gathers information and sometimes makes changes. It is completely safe.

I did notice a file created 3 October 2007

C:\WINDOWS\system32\jcq.exe

that I’m not finding much info on. It might be related to a Christian web site in Russia. Is it something you might have downloaded?

If you don’t recognize it please uploada sample to Virus Total and post the results of the scans.

system · October 5, 2007, 4:06am

spam-mailbot
file c:\windows\system32\gjlz.exe
process c:\program files\internet explorer\iexplore.exe
process description:internet explorer

w32/checkoout
file:c:\documents and settings\Margaret\Local settings\temp\57.exe
process:c:\windows\system32\wkssvc.exe
process description:c:\windows\system32\wkssvc.exe

spam-mailbot
file c:windows\system32\kreu.exe
processc:windows\system32\msiexec.exe
process description:windows installer

spam-mailbot
file c:windows\system32\fkclipclzoz.exe
processc:program files\grisoft\avg anti-spyware7.5\avgas.exe
process description:avg anti-spyware

spam-mailbot
file: c:windows\system32\awjtcurhkn.exe
processc:program files\grisoft\avg anti-spyware7.5\avgas.exe
process description:avg anti-spyware guard

Tried to upload file…0 bytes macfee popped up with a trojan detection. i wouldn’t down load from the site you mentioned.

system · October 5, 2007, 4:17am

OK, thanks.

Are those McAfee detections you posted?

system · October 5, 2007, 4:20am

yes mcafee reports…sorry i didn’t say that.

system · October 5, 2007, 4:26am

Well, I’m not entirely sure how to interpret McAfee so let’s proceed with the manual fix.

Open OTMoveIt again and past in the following paths

C:\WINDOWS\system32\jcq.exe
C:\WINDOWS\system32\pidogjbyxbqf.exe
C:\WINDOWS\system32\mjeoc.exe
C:\WINDOWS\system32\nttbjirnrqd.exe
C:\WINDOWS\system32\gjlz.exe
C:\WINDOWS\system32\ggn.exe
C:\Program Files\HbTools
c:\documents and settings\Margaret\Local settings\temp\57.exe
c:\windows\system32\wkssvc.exe
c:windows\system32\kreu.exe
c:windows\system32\fkclipclzoz.exe
c:windows\system32\awjtcurhkn.exe

Click the red Moveit! button as you did before to remove the files (some of these files will not be found). Then post the results along with a new ComboFix and HJT log.

There is a “run once” registry key showing in HJT that I will specifically ask you to not fix

O4 - HKLM..\RunOnce: [HbTools] cmd /c “rmdir “C:\Program Files\HbTools” /s /q”

This line is there to remove the HotBar directory on reboot and should disappear once its work is done. If it persists we will fix it later, and I mention it only because of its suspicious appearance.

system · October 5, 2007, 4:48am

with the mcafee reports i posted earlier they showed that they had been removed/repaired.

Please help, a couple of trojans

Announcements