Welcome Guest ( Login | Register )
        

Home » Windows & System Security » HiJack This Logs » White X in a Red Circle in my System Tray
12»»

White X in a Red Circle in my System Tray Expand / Collapse
Author
Message
Posted 5/13/2008 2:14 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
Hello, yesterday I got a White X in a Red Circle in my system tray. I think I may have oriiginally gotten downloader.misleadApp but I think my scans got rid of it. However, the X is still there and it continually pops up a bubble that tells me that I have spyware. I know the bubble is either a virus itself or attached to one because the message is full of mis-spellings and it has no link. Here is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:12:12 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\braviax.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124836278656
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9733 bytes


-Thanks in advance for your help

  Post #239390
 
Posted 5/13/2008 2:21 PM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 31,427, Visits: 54,734
Welcome

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
Read this article:
http://www.clickz.com/news/article.php/3561546
You are well advised to remove the program now.
Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present,then restart your pc:
Viewpoint
Viewpoint Toolbar
Viewpoint Manager
Viewpoint Media Player


Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

* You might want to print/copy the following as you need to be in Safe Mode from here on.

* Please then reboot your computer into Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Download Combofix by sUBs and save to your desktop.
Alternative Combofix download link HERE.
Note
It is important that it is saved directly to your desktop

Now close any open browsers.
Double click on Combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window or do anything else on your pc while it's running.
That may cause the program/system to freeze/hang.
Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.

_______________________________________________________________



ASAP & UNITE member since 2006



Use OpenDNS
  Post #239392
 
Posted 5/13/2008 3:46 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
SDFix: Version 1.182
Run by Derek O'Connor on Tue 05/13/2008 at 04:07 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\braviax.exe  - Deleted
C:\WINDOWS\system32\winivstr.exe  - Deleted

Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 16:21:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu  9 Jun 2005         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 17 Dec 2007        22,016 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_EGL 352_Virginia Woolf\~WRL2551.tmp"
Tue 18 Dec 2007        26,624 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_EGL 352_Virginia Woolf\~WRL2562.tmp"
Mon 17 Dec 2007        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_EGL 352_Virginia Woolf\~WRL2766.tmp"
Mon 17 Dec 2007        19,456 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_EGL 352_Virginia Woolf\~WRL2815.tmp"
Mon 17 Dec 2007        20,480 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_EGL 352_Virginia Woolf\~WRL3714.tmp"
Sun 16 Apr 2006        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL0053.tmp"
Sun 16 Apr 2006        23,040 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL0457.tmp"
Sun 16 Apr 2006        23,040 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL0526.tmp"
Sun 16 Apr 2006        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL0670.tmp"
Sun 16 Apr 2006        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL1020.tmp"
Sun 16 Apr 2006        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL2107.tmp"
Fri 14 Apr 2006        20,480 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL2215.tmp"
Sun 16 Apr 2006        23,040 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL2789.tmp"
Sun 16 Apr 2006        21,504 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL3163.tmp"
Sun 16 Apr 2006        20,480 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL3231.tmp"
Sun 16 Apr 2006        23,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 375_U.S. Politics & Diplomacy To 1898\~WRL3648.tmp"
Thu  1 May 2008        19,456 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 390_Medieval France\~WRL1762.tmp"
Thu  1 May 2008        19,968 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\SBU_HIS 390_Medieval France\~WRL4021.tmp"
Fri 18 Jan 2008           400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Fri 18 Jan 2008           403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Thu 20 Sep 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\14a2354517107bc1d6b9d1d0c325d0d8\BITF.tmp"
Thu 20 Sep 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c8e1092e4a07bde9d108020eaac84239\BITE.tmp"
Thu  8 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT2.tmp"
Wed 19 Oct 2005        87,552 ...H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\Microsoft\Templates\~WRL0135.tmp"
Fri 10 Aug 2007       216,576 ...H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\Microsoft\Templates\~WRL0607.tmp"
Fri 24 Aug 2007       217,088 ...H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\Microsoft\Templates\~WRL1728.tmp"
Mon 28 Apr 2008       246,272 ...H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\Microsoft\Templates\~WRL2819.tmp"
Fri 10 Mar 2006        20,480 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\Derek MISC\Written\~WRL3415.tmp"
Fri 10 Mar 2006        19,456 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\Derek MISC\Written\~WRL3585.tmp"
Fri 10 Mar 2006        21,504 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\Derek MISC\Written\~WRL4073.tmp"
Thu  9 Jun 2005         4,348 ...H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\My Music\License Backup\drmv1key.bak"
Thu 26 Jul 2007            20 A..H. --- "C:\Documents and Settings\Derek O'Connor\My Documents\My Music\License Backup\drmv1lic.bak"
Thu  9 Jun 2005           400 A.SH. --- "C:\Documents and Settings\Derek O'Connor\My Documents\My Music\License Backup\drmv2key.bak"
Sat 14 Apr 2007             8 A..H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sat 14 Apr 2007             8 A..H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Sat 14 Apr 2007             8 A..H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Sat 14 Apr 2007             8 A..H. --- "C:\Documents and Settings\Derek O'Connor\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"

Finished!

  Post #239394
 
Posted 5/13/2008 3:49 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
And here is my new hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:18 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124836278656
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9432 bytes
  Post #239395
 
Posted 5/13/2008 3:52 PM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 31,427, Visits: 54,734
Could you follow the Combofix instructions please.

_______________________________________________________________



ASAP & UNITE member since 2006



Use OpenDNS
  Post #239396
 
Posted 5/13/2008 4:37 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
ComboFix 08-05-12.1 - Derek O'Connor 2008-05-13 17:12:45.1 - NTFSx86
Running from: C:\Documents and Settings\Derek O'Connor\Desktop\ComboFix.exe
 * Created a new restore point

[color=red]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\WinBudget
C:\WINDOWS\system32\drivers\fad.sys

.
(((((((((((((((((((((((((   Files Created from 2008-04-13 to 2008-05-13  )))))))))))))))))))))))))))))))
.

2008-05-13 16:01 . 2008-05-13 16:02 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-13 15:54 . 2008-05-13 02:57 <DIR> d-------- C:\SDFix
2008-05-13 15:35 . 2008-05-13 15:35 <DIR> d-------- C:\Deckard
2008-05-13 00:47 . 2008-05-13 00:47 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-12 21:01 . 2008-05-12 21:01 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-05-12 20:59 . 2008-05-12 21:02 <DIR> d-------- C:\Program Files\Norton Internet Security
2008-05-12 20:57 . 2008-05-12 21:02 123,952 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2008-05-12 20:57 . 2008-05-12 21:02 60,800 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-05-12 20:57 . 2008-05-12 21:02 10,563 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.CAT
2008-05-12 20:57 . 2008-05-12 21:02 805 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.INF
2008-05-12 19:55 . 2008-05-12 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-13 21:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-13 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-05-13 02:58 --------- d-----w C:\Program Files\DivX
2008-05-13 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-13 01:05 --------- d-----w C:\Documents and Settings\Derek O'Connor\Application Data\Symantec
2008-05-13 01:02 --------- d-----w C:\Program Files\Symantec
2008-04-11 16:55 --------- d-----w C:\Program Files\Common Files\Adobe
2005-10-13 16:19 13,195 ----a-w C:\Documents and Settings\Derek O'Connor\ZGUICFGW.DAT
2005-08-29 21:33 40 ----a-w C:\Documents and Settings\Derek O'Connor\language.dat
.

(((((((((((((((((((((((((((((((((((((((((((((   AWF   ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w           135,168 2007-11-13 21:46:00  C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe

----a-w            63,712 2007-03-09 15:09:58  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe

----a-w            39,792 2007-10-10 23:51:55  C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe
----a-w            39,792 2008-01-12 02:16:38  C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

----a-w            50,736 2006-11-07 15:29:02  C:\Program Files\AIM6\bak\aim6.exe
----a-w            50,528 2008-01-03 16:15:06  C:\Program Files\AIM6\aim6.exe

----a-w            81,920 2004-06-16 10:03:04  C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w           221,184 2004-06-16 11:03:26  C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w           110,592 2003-08-19 06:01:00  C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe

----a-w           135,264 2002-04-03 06:01:00  C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe

----a-w           290,816 2004-04-12 01:15:14  C:\Program Files\Dell\Media Experience\bak\PCMService.exe

----a-w           460,784 2007-03-15 15:09:36  C:\Program Files\DellSupport\bak\DSAgnt.exe

----a-w           221,184 2003-09-04 01:12:44  C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe

----a-w           267,048 2007-11-02 23:36:42  C:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w           267,048 2007-11-02 23:36:42  C:\Program Files\iTunes\iTunesHelper.exe

----a-w            32,881 2003-11-19 22:48:14  C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe

----a-w           286,720 2007-10-20 01:16:26  C:\Program Files\QuickTime\bak\qttask.exe

----a-w            26,112 2004-08-10 14:01:25  C:\Program Files\Real\RealPlayer\bak\RealPlay.exe

----a-w            53,248 2002-02-05 03:32:10  C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE

----a-w           224,248 2007-06-08 14:59:38  C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe

----a-w            90,112 2000-05-11 06:00:00  C:\WINDOWS\bak\UpdReg.EXE

----a-w            15,360 2004-08-04 07:56:48  C:\WINDOWS\SYSTEM32\bak\ctfmon.exe
----a-w            15,360 2004-08-04 07:56:48  C:\WINDOWS\SYSTEM32\ctfmon.exe

----a-w           126,976 2005-06-22 04:44:34  C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

----a-w           155,648 2005-06-22 04:48:18  C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

----a-w           122,933 2004-03-15 06:04:00  C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe

----a-w           172,032 2004-03-04 15:46:24  C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb10.exe

.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 00:05 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Aim6"="" []
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [ ]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [ ]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [ ]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [ ]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [ ]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [ ]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 19:36 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-25 21:47 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 02:49 718704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-04 18:23:00 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-04 18:23:00 53317]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= C:\WINDOWS\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 21:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 01:20:41 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Derek O'Connor.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-13 17:20:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-13 17:28:56
ComboFix-quarantined-files.txt  2008-05-13 21:28:51

Pre-Run: 4,402,397,184 bytes free
Post-Run: 4,514,127,872 bytes free

151 --- E O F --- 2008-04-10 00:53:59

  Post #239399
 
Posted 5/13/2008 4:38 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
Here is my latest hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:37:59 PM, on 5/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124836278656
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled2/sis/popcaploader_v10.cab
O16 - DPF: {FCF289D4-0AC8-4ED8-BE31-E8AF09606AB5} (download_35mb_com.applet) - http://static.35mb.com/applet/applet_o.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9663 bytes

Thanks for the help so far

  Post #239400
 
Posted 5/13/2008 4:54 PM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 31,427, Visits: 54,734
Download FindAWF.exe and save it to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe
Double-click on the FindAWF.exe file to run it.
It will open a command prompt and ask you to "Press any key to continue".
Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
It may take a few minutes to complete so be patient.
When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
Copy and paste the contents of the AWF.txt file in your next reply.

_______________________________________________________________



ASAP & UNITE member since 2006



Use OpenDNS
  Post #239401
 
Posted 5/13/2008 5:13 PM
New Member

New MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew MemberNew Member

Group: Forum Members
Last Login: 5/14/2008 10:31 AM
Posts: 10, Visits: 14
 Find AWF report by noahdfear ©2006
               Version 1.40

The current date is: Tue 05/13/2008
The current time is: 18:07:57.17


  bak folders found
  ~~~~~~~~~~~


 Directory of C:\WINDOWS\BAK

05/11/2000  02:00 AM            90,112 UpdReg.EXE
               1 File(s)         90,112 bytes

 Directory of C:\PROGRA~1\AIM6\BAK

11/07/2006  11:29 AM            50,736 aim6.exe
               1 File(s)         50,736 bytes

 Directory of C:\PROGRA~1\DELLSU~1\BAK

03/15/2007  11:09 AM           460,784 DSAgnt.exe
               1 File(s)        460,784 bytes

 Directory of C:\PROGRA~1\ITUNES\BAK

11/02/2007  07:36 PM           267,048 iTunesHelper.exe
               1 File(s)        267,048 bytes

 Directory of C:\PROGRA~1\QUICKT~1\BAK

10/19/2007  09:16 PM           286,720 qttask.exe
               1 File(s)        286,720 bytes

 Directory of C:\PROGRA~1\REGSHAVE\BAK

02/04/2002  11:32 PM            53,248 REGSHAVE.EXE
               1 File(s)         53,248 bytes

 Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004  03:56 AM            15,360 ctfmon.exe
06/22/2005  12:44 AM           126,976 hkcmd.exe
06/22/2005  12:48 AM           155,648 igfxtray.exe
               3 File(s)        297,984 bytes

 Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

               0 File(s)              0 bytes

 Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK

04/11/2004  09:15 PM           290,816 PCMService.exe
               1 File(s)        290,816 bytes

 Directory of C:\PROGRA~1\INTEL\MODEME~1\BAK

09/03/2003  09:12 PM           221,184 IntelMEM.exe
               1 File(s)        221,184 bytes

 Directory of C:\PROGRA~1\REAL\REALPL~1\BAK

08/10/2004  10:01 AM            26,112 RealPlay.exe
               1 File(s)         26,112 bytes

 Directory of C:\PROGRA~1\YAHOO!\SEARCH~1\BAK

06/08/2007  10:59 AM           224,248 SearchProtection.exe
               1 File(s)        224,248 bytes

 Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

03/15/2004  02:04 AM           122,933 tfswctrl.exe
               1 File(s)        122,933 bytes

 Directory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK

10/10/2007  07:51 PM            39,792 Reader_sl.exe
               1 File(s)         39,792 bytes

 Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

06/16/2004  06:03 AM            81,920 issch.exe
06/16/2004  07:03 AM           221,184 ISUSPM.exe
               2 File(s)        303,104 bytes

 Directory of C:\PROGRA~1\COMMON~1\SONIC\UPDATE~1\BAK

08/19/2003  02:01 AM           110,592 sgtray.exe
               1 File(s)        110,592 bytes

 Directory of C:\PROGRA~1\CREATIVE\SBLIVE\DIAGNO~1\BAK

04/03/2002  02:01 AM           135,264 diagent.exe
               1 File(s)        135,264 bytes

 Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

11/19/2003  06:48 PM            32,881 jusched.exe
               1 File(s)         32,881 bytes

 Directory of C:\DOCUME~1\ALLUSE~1\APPLIC~1\DELL\TRANSF~1\BAK

11/13/2007  05:46 PM           135,168 TransferAgent.exe
               1 File(s)        135,168 bytes

 Directory of C:\PROGRA~1\ADOBE\PHOTOS~1\3.2\APPS\BAK

03/09/2007  11:09 AM            63,712 apdproxy.exe
               1 File(s)         63,712 bytes

 Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

03/04/2004  11:46 AM           172,032 hpztsb10.exe
               1 File(s)        172,032 bytes


  Duplicate files of bak directory contents
  ~~~~~~~~~~~~~~~~~~~~~~~

     90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
     50528 Jan  3 2008 "C:\Program Files\AIM6\aim6.exe"
     50736 Nov  7 2006 "C:\Program Files\AIM6\bak\aim6.exe"
    460784 Mar 15 2007 "C:\Program Files\DellSupport\bak\DSAgnt.exe"
    267048 Nov  2 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
    267048 Nov  2 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Mar  6 2008 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
    116008 Nov  2 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
    286720 Oct 19 2007 "C:\Program Files\QuickTime\bak\qttask.exe"
     53248 Feb  4 2002 "C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
     15360 Aug  4 2004 "C:\WINDOWS\SYSTEM32\ctfmon.exe"
     15360 Aug  4 2004 "C:\WINDOWS\SYSTEM32\bak\ctfmon.exe"
    118784 Feb 10 2004 "C:\DRIVERS\VIDEO\HKCMD.EXE"
    126976 Jun 22 2005 "C:\DRIVERS\R106456\Win2000\hkcmd.exe"
    126976 Jun 22 2005 "C:\WINDOWS\SYSTEM32\bak\hkcmd.exe"
    126976 Jan 23 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\hkcmd.exe"
    155648 Feb 10 2004 "C:\DRIVERS\VIDEO\IGFXTRAY.EXE"
    155648 Jun 22 2005 "C:\DRIVERS\R106456\Win2000\igfxtray.exe"
    155648 Jun 22 2005 "C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
    155648 Jan 23 2005 "C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxtray.exe"
    290816 Apr 11 2004 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
    221184 Sep  3 2003 "C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
     26112 Aug 10 2004 "C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
    224248 Jun  8 2007 "C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
    122933 Mar 15 2004 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
    122933 Mar 15 2004 "C:\WINDOWS\SYSTEM32\dla\bak\tfswctrl.exe"
     39792 Jan 11 2008 "C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe"
     39792 Oct 10 2007 "C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
     81920 Jun 16 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
    221184 Jun 16 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
    110592 Aug 19 2003 "C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
    135264 Apr  3 2002 "C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
     32881 Nov 19 2003 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
    135168 Nov 13 2007 "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe"
    327437 Jan 27 2008 "C:\Documents and Settings\Derek O'Connor\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\CIP\TransferAgentSetup.exe"
     63712 Mar  9 2007 "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
    172032 Mar  4 2004 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb10.exe"


  end of report

  Post #239403
 
Posted 5/13/2008 5:24 PM


Senior Forum Moderator

Senior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum ModeratorSenior Forum Moderator

Group: Moderators
Last Login: 8/9/2008 10:14 AM
Posts: 31,427, Visits: 54,734
Double-click FindAWF.exe to start the tool.
Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
A text file will open up.
Please copy and paste ALL the following text inside the code box below into the text file:

"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\DellSupport\bak\DSAgnt.exe"
"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\REGSHAVE\bak\REGSHAVE.EXE"
"C:\WINDOWS\SYSTEM32\bak\igfxtray.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Intel\Modem Event Monitor\bak\IntelMEM.exe"
"C:\Program Files\Real\RealPlayer\bak\RealPlay.exe"
"C:\Program Files\Yahoo!\Search Protection\bak\SearchProtection.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
"C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
"C:\Program Files\Common Files\Sonic\Update Manager\bak\sgtray.exe"
"C:\Program Files\Creative\SBLive\Diagnostics\bak\diagent.exe"
"C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
"C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\bak\TransferAgent.exe"
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\bak\apdproxy.exe"
"C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\bak\hpztsb10.exe"

Close the files.txt and click Yes to save the changes.
FindAWF will now terminate the bad processes if running, delete the bad files and restore/replace them with the good files.
Then it will open a log.
Copy and paste the contents of that log in your next reply.

_______________________________________________________________



ASAP & UNITE member since 2006



Use OpenDNS
  Post #239404
 
« Prev Topic | Next Topic »


12»»

All times are GMT -6:00, Time now is 4:51pm

Powered By InstantForum.NET v4.1.4 © 2009
Execution: 0.088. 10 queries. Compression Disabled.