Hi wonderfull team of deniweb.
short story of my sick computer - my internet explorer redirects me to random sites,very very slow, freezes all the time and lately turns off completly by itself.very annoying!
I have followed the steps of your instrustions how to initially clea a little before posting and was hoping someone has time to look into my posted logs. Any help would be greatly appreciated.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4786

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/9/2010 5:41:01 PM
mbam-log-2010-10-09 (17-41-01).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|H:\|I:\|J:\|K:\|)
Objects scanned: 268153
Time elapsed: 58 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********************************************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-10-09 13:18:58
Windows 5.1.2600 Service Pack 3
Running: pw31vuj8.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\agloyfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
***********************************************************************************
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-10-09 16:29:55
Windows 5.1.2600 Service Pack 3
Running: pw31vuj8.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\agloyfog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

*********************************************************************************

DDS (Ver_10-10-10.02) - NTFSx86
Run by Owner at 11:17:17.31 on Mon 10/11/2010
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.83 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\Owner\Desktop\Viruses\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uURLSearchHooks: H - No File
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [CHotkey] zHotkey.exe
mRun: [ShowWnd] ShowWnd.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EverioService] "c:\program files\cyberlink\pcm4everio\EverioService.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [Aquairum] c:\program files\usb aquarium\Aquarium.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [ap.exe] c:\documents and settings\networkservice\application data\ccenter\ap.exe
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1011016
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Search
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {E268A72F-2A5C-4FD0-BD82-94A6E42ACA0E} - rundll32.exe "c:\documents and settings\networkservice\application data\bitrix security\ysloiyiy6.dll", DllUnregister
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-8 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-8 27784]
R2 aawservice;Ad-Aware 2007 Service;c:\program files\lavasoft\ad-aware 2007\aawservice.exe [2007-7-20 557056]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-2-5 297752]

=============== Created Last 30 ================


==================== Find3M ====================


============= FINISH: 11:19:08.68 ===============


and Attach.txt is attached as per instructions

Thank you.

Recommended Answers

All 21 Replies

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.

Here is my bootkit remover results. Thank you crunchie

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`0f1dd200
Boot sector MD5 is: 35c61e6d485a3163078db7b3aca68eea

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

Open Notepad
Copy and paste following text into Notepad:

@ECHO OFF
START remover.exe fix \\.\PhysicalDrive0
EXIT

Go FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.bat.
Save fix.bat to your Desktop.

Run fix.bat by double clicking.
You may see a black box appear; this is normal.

When done, run remover.exe again and post its output.

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000001`0f1dd200
Boot sector MD5 is: 35c61e6d485a3163078db7b3aca68eea

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Unknown boot code

Unknown boot code has been found on some of your physical disks.
To inspect the boot code manually, dump the master boot sector:
remover.exe dump <device_name> [output_file]
To disinfect the master boot sector, use the following command:
remover.exe fix <device_name>


Done;
Press any key to quit...

******right after i run fix.bat file the black window popped out and the msg came out "Windows can not find remover.exe....." then i run the remover.exe as you adviced me. log is posted above. Thank you ******

Doesn't look like it worked. Try this:

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

Thanks Crunchie. Here it is:

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000007bc

Kernel Drivers (total 162):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF8AC4000 \WINDOWS\system32\KDCOM.DLL
0xF89D4000 \WINDOWS\system32\BOOTVID.dll
0xF8575000 ACPI.sys
0xF8AC6000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8564000 pci.sys
0xF85C4000 isapnp.sys
0xF85D4000 ohci1394.sys
0xF85E4000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF8B8C000 pciide.sys
0xF8844000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF8AC8000 aliide.sys
0xF8ACA000 cmdide.sys
0xF8ACC000 toside.sys
0xF8ACE000 viaide.sys
0xF8AD0000 intelide.sys
0xF85F4000 MountMgr.sys
0xF8545000 ftdisk.sys
0xF8AD2000 dmload.sys
0xF851F000 dmio.sys
0xF884C000 PartMgr.sys
0xF8604000 VolSnap.sys
0xF89D8000 cpqarray.sys
0xF8507000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF84EF000 atapi.sys
0xF89DC000 aha154x.sys
0xF8854000 sparrow.sys
0xF8614000 aic78xx.sys
0xF89E0000 dac960nt.sys
0xF8624000 ql10wnt.sys
0xF89E4000 amsint.sys
0xF885C000 asc.sys
0xF89E8000 asc3550.sys
0xF8864000 mraid35x.sys
0xF886C000 i2omp.sys
0xF89EC000 ini910u.sys
0xF8634000 ql1240.sys
0xF8644000 aic78u2.sys
0xF8874000 symc8xx.sys
0xF887C000 sym_hi.sys
0xF8884000 sym_u3.sys
0xF888C000 ABP480N5.SYS
0xF8894000 asc3350p.sys
0xF8AD4000 cd20xrnt.sys
0xF8654000 ultra.sys
0xF889C000 dpti2o.sys
0xF84D6000 adpu160m.sys
0xF8664000 ql1080.sys
0xF8674000 ql1280.sys
0xF8684000 ql12160.sys
0xF89F0000 cbidf2k.sys
0xF84AA000 dac2w2k.sys
0xF88A4000 hpn.sys
0xF88AC000 perc2.sys
0xF8AD6000 perc2hib.sys
0xF8694000 disk.sys
0xF86A4000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF848A000 fltmgr.sys
0xF8478000 sr.sys
0xF8461000 KSecDD.sys
0xF83D4000 Ntfs.sys
0xF83A7000 NDIS.sys
0xF86B4000 sisagp.sys
0xF86C4000 viaagp.sys
0xF838D000 Mup.sys
0xF86D4000 agp440.sys
0xF86E4000 alim1541.sys
0xF86F4000 amdagp.sys
0xF8704000 agpCPQ.sys
0xF8714000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF8744000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7D48000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7D34000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7D0C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF89B4000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7CE8000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF89BC000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF7CB2000 \SystemRoot\system32\DRIVERS\HSFHWBS2.sys
0xF7C8F000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7B90000 \SystemRoot\system32\DRIVERS\HSF_DP.sys
0xF7AE8000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
0xF89C4000 \SystemRoot\System32\Drivers\Modem.SYS
0xF7AC2000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF7AAE000 \SystemRoot\system32\DRIVERS\parport.sys
0xF8754000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF89CC000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF88BC000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8764000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8AB8000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF8774000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8784000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF8794000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF8ABC000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF8C58000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF87A4000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF82C5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7A97000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF87B4000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF87C4000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF88DC000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7A86000 \SystemRoot\system32\DRIVERS\psched.sys
0xF87D4000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88E4000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88EC000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7A56000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF87E4000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8AEA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF79D0000 \SystemRoot\system32\DRIVERS\update.sys
0xF82A5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7E8D000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAA594000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xAA570000 \SystemRoot\system32\drivers\portcls.sys
0xF7E6D000 \SystemRoot\system32\drivers\drmk.sys
0xF7E4D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8AEE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF8A90000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF88FC000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xF8904000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xAA4FB000 \SystemRoot\system32\DRIVERS\zd1211Bu.sys
0xF8AF2000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C5B000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AF4000 \SystemRoot\System32\Drivers\Beep.SYS
0xF8914000 \SystemRoot\System32\drivers\vga.sys
0xF8AF6000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8AF8000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF891C000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF8924000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8A94000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xAA478000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAA3F7000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAA3CF000 \SystemRoot\system32\DRIVERS\netbt.sys
0xAA3A9000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xAA387000 \SystemRoot\System32\drivers\afd.sys
0xF835D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAA35C000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAA2EC000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF833D000 \SystemRoot\System32\Drivers\Fips.SYS
0xF832D000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF831D000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xF89AC000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xAA1FB000 \SystemRoot\System32\Drivers\avgldx86.sys
0xAA1D7000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF8A8C000 \SystemRoot\System32\drivers\Dxapi.sys
0xAA4C3000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8CD8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03E000 \SystemRoot\System32\ialmdev5.DLL
0xBF064000 \SystemRoot\System32\ialmdd5.DLL
0xAA1BB000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9DDA000 \SystemRoot\system32\drivers\wdmaud.sys
0xA9F27000 \SystemRoot\system32\drivers\sysaudio.sys
0xA9ECF000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA99C5000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8B42000 \SystemRoot\System32\Drivers\ASCTRM.SYS
0xA9825000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xA978E000 \SystemRoot\system32\DRIVERS\srv.sys
0xA91CB000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 38):
0 System Idle Process
4 System
872 C:\WINDOWS\system32\smss.exe
948 csrss.exe
972 C:\WINDOWS\system32\winlogon.exe
1020 C:\WINDOWS\system32\services.exe
1032 C:\WINDOWS\system32\lsass.exe
1200 C:\WINDOWS\system32\svchost.exe
1256 svchost.exe
1392 svchost.exe
1468 svchost.exe
1784 C:\WINDOWS\system32\spoolsv.exe
492 C:\WINDOWS\explorer.exe
816 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
828 C:\WINDOWS\zHotkey.exe
840 C:\WINDOWS\SOUNDMAN.EXE
928 C:\WINDOWS\ALCWZRD.EXE
1364 C:\PROGRA~1\AVG\AVG8\avgtray.exe
1424 C:\Program Files\iTunes\iTunesHelper.exe
1344 C:\Program Files\CyberLink\PCM4Everio\EverioService.exe
1512 C:\Program Files\USB Aquarium\Aquarium.exe
1532 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
1604 svchost.exe
1640 C:\WINDOWS\system32\ctfmon.exe
1728 C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
188 C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
252 C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
268 C:\Program Files\Bonjour\mDNSResponder.exe
364 C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
1812 C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
1888 C:\Program Files\CyberLink\Shared Files\RichVideo.exe
1656 C:\Program Files\AVG\AVG8\avgrsx.exe
2124 C:\WINDOWS\system32\svchost.exe
3196 C:\Program Files\iPod\bin\iPodService.exe
3660 alg.exe
1820 C:\WINDOWS\system32\svchost.exe
3536 C:\Program Files\Internet Explorer\iexplore.exe
1580 C:\Documents and Settings\Owner\Desktop\Viruses\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000001`0f1dd200 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (FAT32)

PhysicalDrive0 Model Number: WDCWD2000JD-22HBB0, Rev: 08.02D08

Size Device Name MBR Status
--------------------------------------------
186 GB \\.\PhysicalDrive0 Gateway MBR code detected
SHA1: 007DADCB3671462B53686F6996D328CFD544ABBD


Done!

That one looks ok. Strange.

How is the PC now?

i ve just tried to search somehing on google and then click on the link. still redirects. even in a tab where the name of the site appeares you can see teh word "redirect" and then directs to random sites. ;(

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Here is my Combo Fix log. The only think i wasn't sure if i did the right thing is -clicked "No" when CF popped the msg" this mashine does not have or existing recovery console maybe required updating. click yes to have CF download/install it. note: internet connection is required" so i clicked "no" thinking it would terminate the program, so i can ask you but it run anyway. so, here it is.

ComboFix 10-10-12.03 - Owner 10/14/2010 19:19:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.357 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\NetworkService\Application Data\Bitrix Security
c:\documents and settings\NetworkService\Application Data\Bitrix Security\lpe.txt
c:\documents and settings\NetworkService\Application Data\Bitrix Security\ojtq9_shrd
c:\documents and settings\NetworkService\Application Data\Bitrix Security\qks.txt
c:\documents and settings\NetworkService\Application Data\Bitrix Security\rslbka
c:\documents and settings\NetworkService\Application Data\Bitrix Security\ysloiyiy6_shrd
c:\documents and settings\Owner\Application Data\Bitrix Security
c:\documents and settings\Owner\Application Data\Bitrix Security\ysloiyiy6_shrd
c:\documents and settings\Owner\Application Data\Install.dat
c:\documents and settings\Owner\Recent\Thumbs.db
c:\windows\system\oeminfo.ini
c:\windows\system32\winmds.exe.a_a
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\ipsec.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE


((((((((((((((((((((((((( Files Created from 2010-09-15 to 2010-10-15 )))))))))))))))))))))))))))))))
.

2010-10-13 02:10 . 2010-10-13 02:10 -------- d-----w- c:\program files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2003-06-07 11:32 . 2003-06-07 11:32 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

2004-11-09 17:04 . 2003-11-01 03:42 32768 c:\program files\CyberLink\PowerDVD\bak\PDVDServ.exe

2004-10-18 22:05 . 2004-10-18 22:05 135168 c:\program files\Digital Media Reader\bak\shwiconem.exe

2006-03-09 01:17 . 2006-08-03 03:51 358447 c:\program files\Grisoft\AVG7\bak\avgcc.exe

2004-02-18 17:55 . 2004-02-18 17:55 49152 c:\program files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe

2003-12-22 16:38 . 2003-12-22 16:38 241664 c:\program files\HP\hpcoretech\bak\hpcmpmgr.exe

2006-02-23 22:45 . 2006-02-23 22:45 278528 c:\program files\iTunes\bak\iTunesHelper.exe
2008-07-10 17:51 . 2008-07-10 17:51 289064 c:\program files\iTunes\iTunesHelper.exe

2006-03-20 01:08 . 2005-03-04 11:36 36975 c:\program files\Java\jre1.5.0_02\bin\bak\jusched.exe

2006-06-29 15:32 . 2006-06-29 15:32 155648 c:\program files\QuickTime\bak\qttask.exe
2008-05-27 17:50 . 2008-05-27 17:50 413696 c:\program files\QuickTime\QTTask.exe

2004-11-09 17:02 . 2004-11-09 17:02 26112 c:\program files\Real\RealPlayer\bak\RealPlay.exe

2004-09-08 17:25 . 2002-09-13 20:42 212992 c:\windows\SMINST\bak\RECGUARD.EXE

2004-08-04 12:00 . 2004-08-04 12:00 15360 c:\windows\system32\bak\ctfmon.exe
2004-08-04 12:00 . 2008-04-14 00:12 15360 c:\windows\system32\ctfmon.exe

2004-11-09 17:32 . 2004-08-20 23:51 118784 c:\windows\system32\bak\hkcmd.exe

2004-11-09 17:32 . 2004-08-20 23:55 155648 c:\windows\system32\bak\igfxtray.exe

2004-11-09 17:03 . 2001-07-09 19:50 155648 c:\windows\system32\bak\NeroCheck.exe

2005-01-29 00:38 . 2004-03-04 15:46 172032 c:\windows\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-26 17:36 1008896 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-06-26 1008896]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 61952]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-03-19 78960]
"CHotkey"="zHotkey.exe" [2004-05-18 543232]
"ShowWnd"="ShowWnd.exe" [2003-09-19 36864]
"SoundMan"="SOUNDMAN.EXE" [2004-09-24 77824]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-25 2559488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-07-08 2048352]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 116040]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-10 289064]
"EverioService"="c:\program files\CyberLink\PCM4Everio\EverioService.exe" [2007-11-02 151552]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [N/A]
"Aquairum"="c:\program files\USB Aquarium\Aquarium.exe" [2007-05-18 143360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [N/A]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-6 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 15:59 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/8/2008 8:05 PM 335240]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2/5/2009 3:49 PM 297752]
.
Contents of the 'Scheduled Tasks' folder

2010-07-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-12 00:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.ca/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2676)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware 2007\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\zHotkey.exe
c:\windows\SOUNDMAN.EXE
c:\windows\ALCWZRD.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-10-14 19:34:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-10-15 02:34

Pre-Run: 163,763,630,080 bytes free
Post-Run: 163,969,056,768 bytes free

- - End Of File - - DE9C638687B3251E8BD09B4CB1F991E1

Click here to download FindAWF.exe and save it to your desktop.
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to Press any key to continue.
Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
Copy and paste the contents of the AWF.txt file in your next reply.

Hi Crunchie
here is the AWF log
I was trying to transfer some photos from my camera and noticed the plug and play is not working. had to do it manually. could be that CF removed it? if so is there a way to put it bacck? Thank you for all your help.

  Find AWF report by noahdfear ©2006
               Version 1.40

The current date is: Sat 10/16/2010 
The current time is: 10:17:21.53


  bak folders found
  ~~~~~~~~~~~


 Directory of C:\PROGRA~1\DIGITA~1\BAK

10/18/2004  03:05 PM           135,168 shwiconem.exe
               1 File(s)        135,168 bytes

 Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006  03:45 PM           278,528 iTunesHelper.exe
               1 File(s)        278,528 bytes

 Directory of C:\PROGRA~1\MESSEN~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2006  08:32 AM           155,648 qttask.exe
               1 File(s)        155,648 bytes

 Directory of C:\WINDOWS\SMINST\BAK

09/13/2002  01:42 PM           212,992 RECGUARD.EXE
               1 File(s)        212,992 bytes

 Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004  05:00 AM            15,360 ctfmon.exe
08/20/2004  04:51 PM           118,784 hkcmd.exe
08/20/2004  04:55 PM           155,648 igfxtray.exe
07/09/2001  12:50 PM           155,648 NeroCheck.exe
               4 File(s)        445,440 bytes

 Directory of C:\PROGRA~1\CREATIVE\SHARED~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003  08:42 PM            32,768 PDVDServ.exe
               1 File(s)         32,768 bytes

 Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

08/02/2006  08:51 PM           358,447 avgcc.exe
               1 File(s)        358,447 bytes

 Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/18/2004  10:55 AM            49,152 HPWuSchd2.exe
               1 File(s)         49,152 bytes

 Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003  09:38 AM           241,664 hpcmpmgr.exe
               1 File(s)        241,664 bytes

 Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

11/09/2004  10:02 AM            26,112 RealPlay.exe
               1 File(s)         26,112 bytes

 Directory of C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

06/07/2003  04:32 AM            50,688 WkUFind.exe
               1 File(s)         50,688 bytes

 Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

03/04/2005  04:36 AM            36,975 jusched.exe
               1 File(s)         36,975 bytes

 Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004  08:46 AM           172,032 hpztsb10.exe
               1 File(s)        172,032 bytes


  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~

    135168 Oct 18 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
    289064 Jul 10 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
    278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Jun 21 2009 "C:\WINDOWS\Installer\{EF6C4600-306D-4F6A-A119-C2A877D25B4A}\iTunesIco.exe"
    413696 May 27 2008 "C:\Program Files\QuickTime\QTTask.exe"
    155648 Jun 29 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
     15360 Apr 13 2008 "C:\WINDOWS\system32\ctfmon.exe"
     15360 Apr 13 2008 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
     15360 Aug  4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Jul  9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
     32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
    358447 Aug  2 2006 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
     49152 Feb 18 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
    241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
     26112 Nov  9 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
     50688 Jun  7 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
     36975 Mar  4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe"
    172032 Mar  4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


  end of report

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
"C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
"C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"

Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Hi Crunchie, as per your instructions:

  Find AWF report by noahdfear ©2006
               Version 1.40
Option 2 run successfully

The current date is: Sun 10/17/2010 
The current time is: 18:03:37.23


  bak folders found
  ~~~~~~~~~~~


Directory of C:\PROGRA~1\DIGITA~1\BAK

10/18/2004  03:05 PM           135,168 shwiconem.exe
               1 File(s)        135,168 bytes

 Directory of C:\PROGRA~1\ITUNES\BAK

02/23/2006  03:45 PM           278,528 iTunesHelper.exe
               1 File(s)        278,528 bytes

 Directory of C:\PROGRA~1\MESSEN~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\QUICKT~1\BAK

06/29/2006  08:32 AM           155,648 qttask.exe
               1 File(s)        155,648 bytes

 Directory of C:\WINDOWS\SMINST\BAK

09/13/2002  01:42 PM           212,992 RECGUARD.EXE
               1 File(s)        212,992 bytes

 Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004  05:00 AM            15,360 ctfmon.exe
08/20/2004  04:51 PM           118,784 hkcmd.exe
08/20/2004  04:55 PM           155,648 igfxtray.exe
07/09/2001  12:50 PM           155,648 NeroCheck.exe
               4 File(s)        445,440 bytes

 Directory of C:\PROGRA~1\CREATIVE\SHARED~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

10/31/2003  08:42 PM            32,768 PDVDServ.exe
               1 File(s)         32,768 bytes

 Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK

08/02/2006  08:51 PM           358,447 avgcc.exe
               1 File(s)        358,447 bytes

 Directory of C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK

02/18/2004  10:55 AM            49,152 HPWuSchd2.exe
               1 File(s)         49,152 bytes

 Directory of C:\PROGRA~1\HP\HPCORE~1\BAK

12/22/2003  09:38 AM           241,664 hpcmpmgr.exe
               1 File(s)        241,664 bytes

 Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

11/09/2004  10:02 AM            26,112 RealPlay.exe
               1 File(s)         26,112 bytes

 Directory of C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK

06/07/2003  04:32 AM            50,688 WkUFind.exe
               1 File(s)         50,688 bytes

 Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

03/04/2005  04:36 AM            36,975 jusched.exe
               1 File(s)         36,975 bytes

 Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004  08:46 AM           172,032 hpztsb10.exe
               1 File(s)        172,032 bytes


  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~

    135168 Oct 18 2004 "C:\Program Files\Digital Media Reader\shwiconem.exe"
    135168 Oct 18 2004 "C:\Program Files\Digital Media Reader\bak\shwiconem.exe"
    278528 Feb 23 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
    278528 Feb 23 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Jun 21 2009 "C:\WINDOWS\Installer\{EF6C4600-306D-4F6A-A119-C2A877D25B4A}\iTunesIco.exe"
    155648 Jun 29 2006 "C:\Program Files\QuickTime\qttask.exe"
    155648 Jun 29 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    212992 Sep 13 2002 "C:\WINDOWS\SMINST\RECGUARD.EXE"
    212992 Sep 13 2002 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
     15360 Aug  4 2004 "C:\WINDOWS\system32\ctfmon.exe"
     15360 Apr 13 2008 "C:\WINDOWS\ERDNT\cache\ctfmon.exe"
     15360 Aug  4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\hkcmd.exe"
    118784 Aug 20 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Aug 20 2004 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Jul  9 2001 "C:\WINDOWS\system32\NeroCheck.exe"
    155648 Jul  9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
     32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
     32768 Oct 31 2003 "C:\Program Files\CyberLink\PowerDVD\bak\PDVDServ.exe"
    358447 Aug  2 2006 "C:\Program Files\Grisoft\AVG7\avgcc.exe"
    358447 Aug  2 2006 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
     49152 Feb 18 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
     49152 Feb 18 2004 "C:\Program Files\Hewlett-Packard\HP Software Update\bak\HPWuSchd2.exe"
    241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    241664 Dec 22 2003 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
     26112 Nov  9 2004 "C:\Program Files\Real\RealPlayer\RealPlay.exe"
     26112 Nov  9 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
     50688 Jun  7 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe"
     50688 Jun  7 2003 "C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe"
     36975 Mar  4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
     36975 Mar  4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\bak\jusched.exe"
    172032 Mar  4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe"
    172032 Mar  4 2004 "C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb10.exe"


  end of report

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\PROGRA~1\DIGITA~1\BAK
C:\PROGRA~1\ITUNES\BAK
C:\PROGRA~1\MESSEN~1\BAK
C:\PROGRA~1\QUICKT~1\BAK
C:\WINDOWS\SMINST\BAK
C:\WINDOWS\SYSTEM32\BAK
C:\PROGRA~1\CREATIVE\SHARED~1\BAK
C:\PROGRA~1\CYBERL~1\POWERDVD\BAK
C:\PROGRA~1\GRISOFT\AVG7\BAK
C:\PROGRA~1\HEWLET~1\HPSOFT~1\BAK
C:\PROGRA~1\HP\HPCORE~1\BAK
C:\PROGRA~1\REAL\REALPL~1\BAK
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\BAK
C:\PROGRA~1\COMMON~1\MICROS~1\WORKSS~1\BAK
C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

here is the log:


Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Mon 10/18/2010
The current time is: 19:06:12.53


bak folders found
~~~~~~~~~~~

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

end of report

That worked ok. How is the computer now?

Doesn't redirect anymore. could not be happier or more impressed with the results. Thank you very much for all your help.

Cool :).

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC by OldTimer:
Save it to your Desktop.
Double click OTC.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes. The tool will delete itself once it finishes.

All clean. Thank you again Crunchie and Daniweb forum.

No worries :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.