Trojan Zonebac

By prov1x
Feb 9, 2008
Topic Status:
Not open for further replies.
  1. I have recently been receiving a Norton Antivirus realtime alert that my sytem has the trojan Zonebac. Symantec does not remove it. Can someone help me get rid of this. I am including both a Kaspersky and Hijack this scan results.

    I ran Kaspersky. Here are my results

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Saturday, February 09, 2008 7:26:35 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 9/02/2008
    Kaspersky Anti-Virus database records: 555870
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 69262
    Number of viruses found: 3
    Number of infected objects: 12
    Number of suspicious objects: 0
    Duration of the scan process: 01:55:08

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000000.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D000001.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200000.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200001.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0D200002.VBN Infected: Trojan.Win32.KillAV.oe skipped
    C:\Documents and Settings\edgar\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\edgar\Desktop\stng380.exe Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\History\History.IE5\MSHist012008020920080210\index.dat Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\1367375516.exe Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin/file3 Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe/data0000.bin Infected: not-a-virus:FraudTool.Win32.SpyDefenderPro.a skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe EmbeddedEXE: infected - 2 skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\r1202029302.exe UPX: infected - 2 skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F4F.tmp Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Temp\~DF9F54.tmp Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\edgar\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\edgar\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\edgar\NTUSER.DAT.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    F:\RECYCLER\S-1-5-21-1177238915-2077806209-725345543-1004\Dd554\Favorite.dll Infected: not-a-virus:AdWare.Win32.Favman.a skipped

    Scan process completed.
  2. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    Here are the results of a Hijack This scan

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 7:34:29 PM, on 2/9/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\bak\vptray.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [SpyDefender Shield] "C:\Program Files\SpyDefender Pro\SpyDefender.exe" --scan2
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1177874453233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1194822532468
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/pla.../installer.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe

    --
    End of file - 5433 bytes
  3. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Viruses/Spyware/Malware, preliminary removal instructions
    http://www.techspot.com/vb/topic58138.html

    Must be completed before checking all those files.

    You may also want to run Startup and remove any unwanted startups, before posting all your attachments from doing the above.

    Sorry that's just the way we like it, it avoids saying things that are already covered.
  4. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    I tried completing all steps however when I get to step 14 - Run Ad-Aware in safe mode I get the following;

    Exception EAccessViolation in the module Ad-Aware2007.exe at 001CA094
    Access Violation at address 005CA094 in module 'Ad-Aware2007.exe' read of address 00000414

    What should I do to resolve and continue
  5. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Ad-Aware looks to be corrupt

    Please Un-install and download Ad-Aware Free again
  6. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    I completed un-install, downloaded and re-installed but received same results when trying to run in safe mode
  7. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Ad-aware have a forum message on this here http://www.lavasoftsupport.com/index.php?showtopic=15985&hl=safe mode

    I'm not aware that the new and improved Ad-aware does not run in Safe mode, but definately require an answer to this (as yet none)

    I think continue on (and run Ad-aware in Normal mode)
    But if you post a message at the lavasoft forum, I'd like an answer too.

    To be resolved

    Please continue on.
  8. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    skip step 14 and finish step 15 then post the requested logs as attachments using the paperclip icon above your reply.

    It could be the infection preventing you from running it. I had the same happen the other day with AVG.

    This thread is for the use of prov1x only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  9. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    All Steps completed

    THe results of the Panda Antirootkit san

    Items scanned 4020
    Rootkits detected 0
    known rootkits 0
    unknown rootkits 0
    Rootkits removed 0
    Rootkits sent to PAnda 0




    ComboFix 08-02.05.3 - edgar 2008-02-10 21:40:24.1 - NTFSx86
    Running from: C:\Documents and Settings\edgar\Desktop\Techspot computer repair software\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\WinBudget
    C:\Program Files\WinBudget\bin\crap.1201817014.old
    C:\Program Files\WinBudget\bin\matrix.dat
    C:\Program Files\WinBudget\bin\matrix.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-01-11 to 2008-02-11 )))))))))))))))))))))))))))))))
    .

    2008-02-10 19:47 . 2008-02-10 19:47 <DIR> d-------- C:\VundoFix Backups
    2008-02-10 18:10 . 2008-02-10 18:25 2,844 --a------ C:\WINDOWS\system32\tmp.reg
    2008-02-10 18:05 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-02-10 18:05 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-02-10 18:05 . 2008-02-08 23:55 85,504 --a------ C:\WINDOWS\system32\VACFix.exe
    2008-02-10 18:05 . 2008-02-08 10:37 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-02-10 18:05 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-02-10 18:05 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-02-10 18:05 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-02-10 18:02 . 2008-02-10 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-02-10 17:57 . 2008-02-10 17:57 <DIR> d-------- C:\Program Files\Yahoo!
    2008-02-10 17:57 . 2008-02-10 17:59 <DIR> d-------- C:\Program Files\CCleaner
    2008-02-10 17:52 . 2008-02-10 17:52 <DIR> d-------- C:\Program Files\Lavasoft
    2008-02-10 17:52 . 2008-02-10 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-02-10 17:51 . 2008-02-10 17:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2008-02-10 17:44 . 2008-02-10 17:44 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\Grisoft
    2008-02-10 17:42 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-02-10 14:28 . 2008-02-10 14:26 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2008-02-10 14:26 . 2008-02-10 14:29 <DIR> d-------- C:\Documents and Settings\edgar\.housecall6.6
    2008-02-10 13:48 . 2008-02-10 21:45 313,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
    2008-02-10 13:48 . 2008-02-10 20:40 5,456 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
    2008-02-10 13:43 . 2008-02-10 13:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
    2008-02-10 13:42 . 2007-11-14 16:05 75,248 --a------ C:\WINDOWS\zllsputility.exe
    2008-02-10 13:42 . 2004-04-27 04:40 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
    2008-02-10 13:42 . 2008-02-10 13:46 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
    2008-02-10 13:41 . 2008-02-10 13:41 <DIR> d-------- C:\Program Files\Zone Labs
    2008-02-10 13:39 . 2008-02-10 20:51 <DIR> d-------- C:\WINDOWS\Internet Logs
    2008-02-10 13:34 . 2008-02-10 13:35 <DIR> d-------- C:\Documents and Settings\edgar\Application Data\AVG7
    2008-02-10 13:33 . 2008-02-10 13:33 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
    2008-02-10 13:32 . 2008-02-10 17:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-02-10 13:32 . 2008-02-10 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
    2008-02-09 19:33 . 2008-02-09 19:33 <DIR> d-------- C:\Program Files\Trend Micro
    2008-02-03 04:02 . 2008-02-03 04:02 13 --a------ C:\WINDOWS\C3EA-41F7-BFAC-EBF8.dat
    2008-01-30 20:11 . 2008-01-30 20:11 <DIR> d-------- C:\WINDOWS\system32\bak
    2008-01-27 14:23 . 2008-02-08 21:08 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-01-27 14:23 . 2008-01-27 14:23 1,409 --a------ C:\WINDOWS\QTFont.for

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-10 23:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-02-10 22:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-02-10 22:37 --------- d-----w C:\Program Files\BitTorrent_DNA
    2008-02-10 16:37 --------- d-----w C:\Documents and Settings\edgar\Application Data\Lavasoft
    2008-02-09 02:08 --------- d-----w C:\Program Files\QuickTime
    2008-02-03 04:27 --------- d-----w C:\Documents and Settings\edgar\Application Data\LimeWire
    2008-01-24 13:42 --------- d-----w C:\Documents and Settings\edgar\Application Data\U3
    2008-01-12 19:29 --------- d-----w C:\Documents and Settings\edgar\Application Data\BitTorrent
    2008-01-09 03:00 --------- d-----w C:\Program Files\MP3 Player Utilities 4.15
    2007-12-26 00:58 --------- d-----w C:\Program Files\USBToolbox
    2007-12-26 00:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
    2007-11-14 21:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
    .

    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]
    "Aim6"="" []

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "C-Media Mixer"="Mixer.exe" [2002-10-15 17:00 1818624 C:\WINDOWS\mixer.exe]
    "CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [ ]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
    "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [ ]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
    "QuickTime Task"="C:\Program Files\QuickTime\bak\qttask.exe" [2007-10-26 16:56 77824]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
    "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-10 14:09 579072]
    "ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-10 13:33 219136]

    R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-04 00:31]

    *Newly Created Service* - PHOOKS
    *Newly Created Service* - PUTGOMFOPCIB
    *Newly Created Service* - SDTHOOK
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-10 21:45:37
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-02-10 21:48:44
    ComboFix-quarantined-files.txt 2008-02-11 02:47:53
    .
    2008-01-10 04:21:59 --- E O F ---

    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 5:45:13 PM 2/12/2008

    + Scan result:



    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc201.txt -> TrackingCookie.Burstbeacon : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc202.txt -> TrackingCookie.Burstnet : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc35.txt -> TrackingCookie.Burstnet : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc56.txt -> TrackingCookie.Dealtime : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc157.txt -> TrackingCookie.Information : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc150.txt -> TrackingCookie.Liveperson : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc155.txt -> TrackingCookie.Msn : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc88.txt -> TrackingCookie.Msn : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc50.txt -> TrackingCookie.Overture : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc171.txt -> TrackingCookie.Tacoda : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc26.txt -> TrackingCookie.Tacoda : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc27.txt -> TrackingCookie.Tacoda : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc106.txt -> TrackingCookie.Tracking101 : Cleaned.
    C:\Documents and Settings\edgar\Cookies\edgar@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc112.txt -> TrackingCookie.Webtrends : Cleaned.
    F:\RECYCLER\S-1-5-21-1482476501-1580436667-1202660629-1003\Dc14.txt -> TrackingCookie.Yieldmanager : Cleaned.


    ::Report end
  10. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:16:47 PM, on 2/12/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Mixer.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\Grisoft\AVG7\avgw.exe
    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webkinz.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1177874453233
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194822532468
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

    --
    End of file - 6262 bytes
  11. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Just quoting Blind Dragon, for your information.
     
  12. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    for some reason when I click on the paperclip Icon nothing happens. The other icons with the drop down menus work fine but the paper clip icon does not respond. That is why I copied the results to my post. Am I doing this incorrectly? Is ther somewhere else or a setting I have to change?
  13. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    let's try this
  14. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Make sure your browser is allowing popups. when you click it does a yellow box pop up accross the top of the screen?
  15. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    it's odd, there are no yellow pop up windows. again, the two other drop don menus next to the paper clip (emoticon and color selection for letters) work and allow me to select form them. When I click on the paperclip there is absolutely no response. I went to additional options below reply window, clicked "manage attachments" and it allowed me to attach the files. Hope that works.
  16. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Ok, HiJackThis looks clean. I am not experienced with combofix yet, so if you want you can wait for somebody who is, or you can manually delete these:

    Show hidden files through windows explorer
    • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
    • On the Tools menu in Windows Explorer, click Folder Options
    • Click the View tab.
    • Under Hidden files and folders, click Show hidden files and folders
    • Remove the checkmark from the checkbox labeled Hide protected operating system files
    • Remove the checkmark from the checkbox labeled Hide file extensions for known file types
    • Put a checkmark in the checkbox labeled Display the contents of system folders.

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Use Windows Explorer to navigate to and delete the following files:
    • Access Windows Explorer by clicking Start, point to All Programs, Accessories, and then click Windows Explorer. Or hold the windows key and press E

    Folders:
    C:\Program Files\WinBudget <-This folder only

    After deleting the above Go to Start, click Search, click All files and folders, and then click More advanced options. Click the check boxes to Search system folders and Search hidden files and folders.

    In the search box for All or part of the file name please type matrix.dll
    If any instances are shown Delete them.

    Do the same for and matrix.dat

    Remove registry entries
    • Click Start, Run, type regedit, click ok.
    Navigate to and delete the following entries:

    HKEY_CLASSES_ROOT\toolbar.TB\CLSID
    HKEY_CLASSES_ROOT\toolbar.TB.1\CLSID
    HKEY_CLASSES_ROOT\AppID\toolbar.DLL
    HKEY_CLASSES_ROOT\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
    HKEY_CLASSES_ROOT\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
    HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0CB66BA8-5E1F-4963-93D1-E1D6B78FE9A2}



    Reboot the computer into Normal Mode

    Post a fresh Combofix log
  17. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    Done, here is the new combofix log

    Attached Files:

  18. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Download FindAWF:

    • 1.Download FindAWF
      2.Save the file to the Desktop
      3.Double-click the FindAWF icon.
      4.If a Security Alert shows, allow the program to run.
      5.As instructed, press any key to continue.
      6.Use the following option: Press 1 then Enter to scan for bak folders
      The scan may take a while, please be patient.
      7.When done, a text file, Find AWF report is produced that I need to look at.
      Please post it in your reply.

    Generate Uninstall List

    • 1. Start HijackThis
      2. Click on the Config button
      3. Click on the Misc Tools button
      4. Click on the Open Uninstall Manager button.
      5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file.
     
  19. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    here are the two files
  20. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Fix AWF Infection

    Copy the file paths in the quote box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please attach AWF.txt file in your next reply along with a fresh HJT log
  21. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    Here are the two logs
  22. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Almost there

    Launch HJT
    *Select Do a System Scan Only
    *Put a check mark next to the following entry:
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\bak\qttask.exe" -atboottime

    *Select Fix Checked
    *Select Scan and attach another log


    Fix AWF Folders
    * Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    * Double-click on the FindAWF.exe file to run it.
    * It will open a command prompt and ask you to "Press any key to continue".
    * You will be presented with a Menu.
    * Press 3, then press Enter.
    * Press any key to continue.
    * A Notepad document FindAWF.txt will appear with instructions to click below the line and paste the list of folders to be removed.
    * Right click below this line and select Paste, to paste the list of folders copied to the clipboard earlier. Save and close the document.
    * The program will proceed to remove the bad folders and will perform another scan for .bak folder
    * It may take a few minutes to complete so be patient.
    * When it is complete, it will open a text file in notepad called AWF.txt.
    * Please attach the AWF.txt file in your next reply.

    Run Fix AWF one more time and press 4, then press Enter.
  23. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    here are the log files
  24. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Looks like we got it. I am going to ask one of the experts to double check my work.

    If you have any further virus/spyware problems, please post in this thread.

    The instructions in this thread are for the use of prov1x only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  25. prov1x

    prov1x Newcomer, in training Topic Starter Posts: 17

    thank you for all th ework and time! I'll check back to see if there is anything else I need to do.

    Thank You
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.