Malware Problem, any help appreciated

genius34 · Feb 6, 2008

About a week ago, I started experiencing some type of malware problem that I haven't seen before. Whenever I attempt to login to my hotmail account, I get a basic "IE cannot access" error. The same thing happens when I try to go to my bank login page, or my fantasy football login page. Otherwise, my Internet is working, the only time I have problems is when I try to login on particular sites or go to sites with login options.

I went through all of the basics recommended in the malware removal guide, with no success. For some reason, AVG would not generate me a scan report, even though I followed the guidelines twice (it may be because I've been running the trial freeware version for some time now). Each time I scanned, it only came up with two tracking cookies anyway.

Otherwise, both of the other scans are attached below. Any help will be appreciated because this is driving me crazy. If a subsequent AVG scan and attachment is necessary, let me know, I'll give it another shot. Also, if there is another similar scanning program that I can post a log from, let me know and I'll do that.

Thank you.

TimW · Feb 7, 2008

Let's do this first:
Download FindAWF and save the file to your Desktop.
Start FindAWF.exe
Select option 2 by pressing 2 and then Enter. A text file will open (files.txt).
In that files.txt, copy and paste the following list of files to be restored:

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe
C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe
C:\Program Files\DellSupport\bak\DSAgnt.exe
C:\Program Files\Google\Google Talk\bak\googletalk.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe
C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Norton Internet Security\bak\cfgwiz.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\SymNetDrv\bak\SNDMon.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\dla\bak\tfswctrl.exe
Click to expand...

Close the files.txt and click Yes to save the changes.
FindAWF wil now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log. Copy and paste the contents of that log in your next reply.

genius34 · Feb 7, 2008

The text from the log:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Thu 02/07/2008
The current time is: 11:56:39.22

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007 10:09 AM 460,784 DSAgnt.exe
1 File(s) 460,784 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

11/02/2007 06:36 PM 267,048 iTunesHelper.exe
1 File(s) 267,048 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

03/15/2005 03:34 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/19/2007 08:16 PM 286,720 qttask.exe
1 File(s) 286,720 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/26/2005 03:06 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
09/20/2005 09:32 AM 77,824 hkcmd.exe
09/20/2005 09:36 AM 114,688 igfxpers.exe
09/20/2005 09:35 AM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\ANALOG~1\CORE\BAK

10/14/2004 07:42 PM 1,404,928 smax4pnp.exe
1 File(s) 1,404,928 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

04/12/2006 11:54 AM 49,824 ccApp.exe
1 File(s) 49,824 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\BAK

01/01/2007 04:22 PM 3,739,648 googletalk.exe
1 File(s) 3,739,648 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 04:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 05:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK

10/24/2005 02:53 PM 307,200 AdobeUpdateManager.exe
1 File(s) 307,200 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

07/27/2004 04:50 PM 81,920 issch.exe
07/27/2004 04:50 PM 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

03/15/2005 03:33 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Directory of C:\DOCUME~1\ALLUSE~1\APPLIC~1\DELL\TRANSF~1\BAK

11/13/2007 04:46 PM 135,168 TransferAgent.exe
1 File(s) 135,168 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

14348 Jan 31 2008 "C:\Program Files\DellSupport\DSAgnt.exe"
460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
14348 Jan 31 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267048 Nov 2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Nov 11 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
116008 Nov 11 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
14348 Jan 31 2008 "C:\Program Files\Norton Internet Security\cfgwiz.exe"
132248 Mar 15 2005 "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe"
132248 Mar 15 2005 "C:\Program Files\Norton Internet Security\Norton AntiVirus\CfgWiz.exe"
14348 Jan 31 2008 "C:\Program Files\QuickTime\qttask.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
14348 Jan 31 2008 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 26 2005 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\hkcmd.exe"
126976 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\HKCMD.EXE"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Jan 23 2005 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\hkcmd.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\IGFXTRAY.EXE"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jan 23 2005 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\igfxtray.exe"
1404928 Oct 14 2004 "C:\DRIVERS\AUDIO\onboard\SMax4PNP.exe"
14348 Jan 31 2008 "C:\Program Files\Analog Devices\Core\smax4pnp.exe"
1404928 Oct 14 2004 "C:\Program Files\Analog Devices\Core\bak\smax4pnp.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
49824 Apr 12 2006 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
14348 Jan 31 2008 "C:\Program Files\Google\Google Talk\googletalk.exe"
3739648 Jan 1 2007 "C:\Program Files\Google\Google Talk\bak\googletalk.exe"
1581768 Oct 25 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.100\googletalk-setup-upgrade.exe"
1606064 Jan 5 2007 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.104\googletalk-setup-upgrade.exe"
892080 Jan 27 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.84\googletalk-setup-upgrade.exe"
896720 Feb 7 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.86\googletalk-setup-upgrade.exe"
1334520 Apr 7 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.92\googletalk-setup-upgrade.exe"
1531784 Aug 16 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.96\googletalk-setup-upgrade.exe"
1572720 Oct 6 2006 "C:\Program Files\Google\Google Talk\googletalk-1.0.0.98\googletalk-setup-upgrade.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
14348 Jan 31 2008 "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\tfswctrl.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
14348 Jan 31 2008 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
307200 Oct 24 2005 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
14348 Jan 31 2008 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Mar 15 2005 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"
14348 Jan 31 2008 "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
135168 Nov 13 2007 "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe"
327437 Jan 23 2008 "C:\Documents and Settings\Joe Thoma.JOE\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\CIP\TransferAgentSetup.exe"

end of report
Click to expand...

TimW · Feb 7, 2008

To be sure...re-run ComboFix and attach that log.

genius34 · Feb 7, 2008

ComboFix log attached.

TimW · Feb 7, 2008

Sweet....Your logs look clean.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

genius34 · Feb 7, 2008

Well, I guess this is where things get interesting then. I still can't access my email, my bank page, or my fantasy sports page. I get this generic error message:

Internet Explorer cannot display the webpage

Most likely causes:
You are not connected to the Internet.
The website is encountering problems.
There might be a typing error in the address.

What you can try:
Diagnose Connection Problems

More information

This problem can be caused by a variety of issues, including:

Internet connectivity has been lost.
The website is temporarily unavailable.
The Domain Name Server (DNS) is not reachable.
The Domain Name Server (DNS) does not have a listing for the website's domain.
If this is an HTTPS (secure) address, click Tools, click Internet Options, click Advanced, and check to be sure the SSL and TLS protocols are enabled under the security section.

For offline users

You can still view subscribed feeds and some recently viewed webpages.
To view subscribed feeds

Click the Favorites Center button , click Feeds, and then click the feed you want to view.

To view recently visited webpages (might not work on all pages)

Click Tools , and then click Work Offline.
Click the Favorites Center button , click History, and then click the page you want to view.
Click to expand...

But the rest of my internet works fine, and I'm obviously able to login here. Could this be something stupid and security related that I did on my end? I haven't changed anything recently, this just popped up out of nowhere.

genius34 · Feb 7, 2008

Just realized that I have doginhispen/skitothedayplease, too. Seems like this is beginning to be an epidemic. Should I follow the instructions in the other threads? What a mess.

TimW · Feb 8, 2008

Please download DelDomains and unzip it to your desktop. Do not run it yet.

Find the files from deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.

(Please note if you have Spybot S&D installed you will need to "Immunize" again because deldomains will remove all of the sites Spybot adds.)

Download HostsXpert and then follow the below steps.

* Unzip HostsXpert.zip
* It will create a folder named HostsXpert in whatever folder you extract it to.
* Run HostsXpert.exe by double clicking on it.
* click the Make Writeable? button.
* click Restore Microsoft's Hosts File and then click OK.
* Click the X to exit the program

Next please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"=http://
Click to expand...

Tell me how things are.

genius34 · Feb 8, 2008

Thanks, I'll be off the system until Sunday, I'll update then.

TimW · Feb 9, 2008

My bad...skipped a step or two...

Start FindAWF, select Option 3, by pressing 3 and then enter.
This will open the text file folders.txt
Copy and paste the following list in it:

C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak
C:\Program Files\Common Files\Symantec Shared\Security Center\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Common Files\InstallShield\UpdateService\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Intel\Modem Event Monitor\bak
C:\Program Files\Google\Google Talk\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Analog Devices\Core\bak
C:\Program Files\SymNetDrv\bak
C:\Program Files\QuickTime\bak
C:\Program Files\Norton Internet Security\bak
C:\Program Files\iTunes\bak
C:\Program Files\DellSupport\bak
Click to expand...

Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log afterwards.
Post the log in your next reply.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Tell me how things are now.

genius34 · Feb 10, 2008

I followed all of those directions. The required log is attached. Unfortunately, as soon as I accessed internet explorer, I checked my browser history, and a.doginhispen appeared immediately. Next suggested course of action?

TimW · Feb 11, 2008

Start FindAWF.exe
Select option 2 by pressing 2 and then Enter. A text file will open (files.txt).
In that files.txt, copy and paste the following list of files to be restored:

C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe
Click to expand...

Close the files.txt and click Yes to save the changes.
FindAWF wil now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log. Copy and paste the contents of that log in your next reply.

Have you run CCleaner to remove the history?

genius34 · Feb 11, 2008

Here is the newest log. I have run CCleaner to eliminate the browser history. Thank you for you continued help.

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Mon 02/11/2008
The current time is: 17:30:01.07

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 05:00 AM 15,360 ctfmon.exe
09/20/2005 09:32 AM 77,824 hkcmd.exe
09/20/2005 09:36 AM 114,688 igfxpers.exe
09/20/2005 09:35 AM 94,208 igfxtray.exe
4 File(s) 302,080 bytes

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 04:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003 08:12 PM 221,184 IntelMEM.exe
1 File(s) 221,184 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 05:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\JAVA\JRE16~3.0_0\BIN\BAK

09/25/2007 01:11 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\hkcmd.exe"
126976 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\HKCMD.EXE"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Jan 23 2005 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\hkcmd.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\igfxtray.exe"
155648 Jan 23 2005 "C:\DRIVERS\VIDEO\ONBOARD\IGFXTRAY.EXE"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Jan 23 2005 "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\igfxtray.exe"
6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"
221184 Sep 3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\tfswctrl.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
144784 Dec 14 2007 "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\bak\jusched.exe"

end of report
Click to expand...

TimW · Feb 12, 2008

Start FindAWF, select Option 3, by pressing 3 and then enter.
This will open the text file folders.txt
Copy and paste the following list in it:

C:\Program Files\Java\jre1.6.0_03\bin\bak
C:\WINDOWS\system32\dla\bak
C:\WINDOWS\system32\bak
C:\Program Files\Intel\Modem Event Monitor\bak
Click to expand...

Then close folders.txt and let it save the changes.
FindAWF will now remove the bak folders and open a log afterwards.
Post the log in your next reply.

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Now run deldomains again.

genius34 · Feb 12, 2008

Newest Log:

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Tue 02/12/2008
The current time is: 17:31:44.68

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\GRISOFT\AVGANT~1.5\BAK

06/11/2007 04:25 AM 6,731,312 avgas.exe
1 File(s) 6,731,312 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

6731312 Jun 11 2007 "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\bak\avgas.exe"

end of report
Click to expand...

TimW · Feb 13, 2008

Good ...so how are things running now?

genius34 · Feb 13, 2008

a.doginhispen and b.skitodayplease no longer show up in my browser history. I can get to hotmail.com, but I still can't access my email, or login to my fantasy team, or get to my bank page. There seems to be some improvement, but I still seem to be having problems.

TimW · Feb 15, 2008

Tell me exactly what happens ....can't get a login screen? Can't or it won't recognize your login?

genius34 · Feb 15, 2008

When I try to login to hotmail, I immediately go to an error page, without any hesitation. I can't even get to my bank page, it just goes straight to an error when I type in the address and hit enter. My fantasy sports page, at yahoo, is similar to my email. I can access anything on yahoo, but when I try to login in, it goes straight to an error page without even trying to access my account.

TimW · Feb 17, 2008

This may be related to LogMeIn ....whicn may have been corrupted with the malware.

Try uninstalling it and see if the problem persists.

genius34 · Feb 17, 2008

As far as I can tell, I don't have LogMeIn on my computer. Nothing comes up through a file search, and it isn't in my add/remove programs. Could it be elsewhere?

TimW · Feb 17, 2008

No..I rechecked your logs and don't see it ...try turning off Norton Internet Security and see if the problem persists.

genius34 · Feb 17, 2008

In some areas, Norton shows that it is already disabled. In others it shows that it is currently working, and if I try to turn it off, then it says it is already off. The entire program is acting flaky, and I'm not convinced that it's actually doing anything. When these problems are fixed, I'm planning on using something different anyway, so could I just remove it now?

Edit: it also actually shows that I'm missing some files that are required to run Norton. Specifically something called caApp.

TimW · Feb 17, 2008

Time to make it go bye bye ....first choose an anti-virus program from here:
TopFreeware

download to desktop but don't install yet.

Now us this tool:
http://www.majorgeeks.com/Norton_Removal_Tool_SymNRT_d4749.html

Then after the removal ...install the new anti-virus ..update it and run it.

genius34 · Feb 17, 2008

My login issues have been resolved. Awesome!

I installed Avast and it located and quarantined one problem, Win32:CTX.

Attached are new logs.

chaslang · Feb 17, 2008

genius34 said: ↑

I installed Avast and it located and quarantined one problem, Win32:CTX.
Click to expand...

More than likely a false positive especially if you have used/installed anything related to Panda Antivirus or Online Scanner. See the below:

http://www.avast.com/eng/faq_panda.html

genius34 · Feb 18, 2008

Yes, that makes sense, I'm sure that's it.

Everything seems to be in good working order, thank you!

TimW · Feb 19, 2008

You're welcome.....If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
* Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
10. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
* How to Protect yourself from malware!

Log in or Sign up

Malware Problem, any help appreciated

genius34 Private E-2

Attached Files:

ComboFix.txt

MGlogs.zip

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

Attached Files:

ComboFix.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

Attached Files:

awf.txt

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

genius34 Private E-2

Attached Files:

MGlogs.zip

ComboFix.txt

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

genius34 Private E-2

TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member