• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
victorb

spyware/trojan infection - 2 Duplicates deleted

22 posts in this topic

I appear to have been infected with at least several spyware and/or trojans. It appears to have disabled my ability to run ActiveX, and I cannot reactivate this functionality.

 

I first tried to run Spybot Search & Destroy, and it successfully appeared to remove some problems it detected (listed as CoolWWWSearch, SpySheriff, SearchCentrix, Smitfraud-C, and Spabot). This did not solve the problem.

 

I also ran Ad-Aware 2007, no specific threats detected.

 

My computer runs corporate version of Symantec AntiVirus - I ran two complete scans, and it picked up multiple copies of Trojan.Peacomm.D which it appeared to remove successfully. The second complete scan picked up Adware.SystemProcess, which it also appeared to clean.

 

Original problem however remains, ActiveX not working.

 

I have downloaded HiJack This, and following is the current logfile.

 

Any advice you can give me will be greatly appreciated.

 

------------------------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:54:24 PM, on 11/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\SafeBoot\SBMGRNT.EXE

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

D:\Program Files\Lavasoft\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

c:\Program Files\CA\SC\CAM\bin\cam.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\Program Files\ENDFORCE\AgentAPI.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\UMCSTUB.EXE

c:\Program Files\CA\DSM\bin\caf.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\Program Files\CA\DSM\Bin\cfsmsmd.exe

c:\Program Files\CA\DSM\Bin\ccnfagent.exe

c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe

c:\Program Files\CA\DSM\Bin\ccsmagtd.exe

c:\Program Files\CA\DSM\Bin\amswmagt.exe

c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe

c:\Program Files\CA\DSM\Bin\cfftplugin.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CA\DSM\bin\cfSysTray.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft Security Adviser\msctrl.exe

C:\Program Files\Microsoft Security Adviser\msavsc.exe

C:\Program Files\Microsoft Security Adviser\msscan.exe

C:\Program Files\Microsoft Security Adviser\msiemon.exe

C:\Program Files\Microsoft Security Adviser\msfw.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Infotriever\Agent\infoclient.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

d:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com/portal/beans...site/healthcare

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon

O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"

O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe

O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe

O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe

O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe

O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe

O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe

O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe

O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe

O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe

O4 - HKLM\..\Policies\Explorer\Run: [1] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\nav\Navsvr.vbs

O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = ?

O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe

O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com

O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01.ge.com/sametime/stmeet...gRoomClient.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.com/emedical_enu/19221/a...x_HI_Client.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111.mail.live.com/mail/re...es/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.com/emedical_enu/19221/a...tBound_mail.cab

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.com/emedical_enu/19221/a...Integration.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01.ge.com/sametime/stmeet...STJNILoader.cab

O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarplugin.themeetingson.com/...000RCOGN000.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.webex.com/client/T23L10NS...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe

O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe

O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe

O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 15461 bytes

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi,

 

If you still need help please post a new HiJackThis log.

 

jedi

Share this post


Link to post
Share on other sites

Here is latest HijackThis log.

 

Thanks

 

-------------------------------------------------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:55:20 PM, on 11/19/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\SafeBoot\SBMGRNT.EXE

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

D:\Program Files\Lavasoft\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

c:\Program Files\CA\SC\CAM\bin\cam.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\Program Files\ENDFORCE\AgentAPI.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\UMCSTUB.EXE

c:\Program Files\CA\DSM\bin\caf.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\Program Files\CA\DSM\Bin\cfsmsmd.exe

c:\Program Files\CA\DSM\Bin\ccnfagent.exe

c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CA\DSM\bin\cfSysTray.exe

C:\Program Files\Microsoft Security Adviser\msctrl.exe

C:\Program Files\Microsoft Security Adviser\msavsc.exe

C:\Program Files\Microsoft Security Adviser\msscan.exe

C:\Program Files\Microsoft Security Adviser\msiemon.exe

C:\Program Files\Microsoft Security Adviser\msfw.exe

D:\Program Files\iTunes\iTunesHelper.exe

c:\Program Files\CA\DSM\Bin\ccsmagtd.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

c:\Program Files\CA\DSM\Bin\amswmagt.exe

c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe

c:\Program Files\CA\DSM\Bin\cfftplugin.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Infotriever\Agent\infoclient.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Lotus\Sametime Client\Connect.exe

C:\WINDOWS\System32\WISPTIS.EXE

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon

O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"

O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"

O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe

O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe

O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe

O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe

O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe

O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe

O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe

O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe

O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe

O4 - HKLM\..\Policies\Explorer\Run: [1] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\nav\Navsvr.vbs

O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = ?

O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe

O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com

O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01.ge.com/sametime/stmeet...gRoomClient.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.com/emedical_enu/19221/a...x_HI_Client.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111.mail.live.com/mail/re...es/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.com/emedical_enu/19221/a...tBound_mail.cab

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.com/emedical_enu/19221/a...Integration.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01.ge.com/sametime/stmeet...STJNILoader.cab

O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarplugin.themeetingson.com/...000RCOGN000.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.webex.com/client/T23L10NS...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe

O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe

O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe

O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 16246 bytes

Share this post


Link to post
Share on other sites

Hi,

 

I need a sample of this folder:

 

C:\Program Files\Microsoft Security Adviser

 

Please upload it to me here:

http://www.bleepingcomputer.com/submit-mal....php?channel=18

 

Next:

 

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Next, please reboot your computer in Safe Mode by doing the following:

1) Restart your computer

2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3) Instead of Windows loading as normal, a menu should appear

4) Select the first option, to run Windows in Safe Mode.

 

For additional help in booting into Safe Mode, see the following site:

http://www.pchell.com/support/safemode.shtml

  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: check.gif
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

Also:

 

1. Download this file -

ComboFix

2. Double click ComboFix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi,

 

1) Requested file was uploaded to bleepingcomputer

 

2) I ran Dr.Web CureIt, log is below.

 

3) I could not run ComboFix - it came up with message saying copy has expired, and then it "uninstalled" itself.

 

Here is CureIt log:

 

svchost.exe;C:\;Trojan.Click.4813;Deleted.;

svchost2.exe;C:\;Trojan.Click.4813;Deleted.;

CheckPowerAndDock.vbs;C:\NewReboot;Modification of VBS.Generic.358;Moved.;

aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;

mssadv.exe;C:\Program Files\Microsoft Security Adviser;Trojan.Click.3334;Deleted.;

dlbxEN.vbs;C:\SUPPORT\Software\Printers Driver\Dell\Dell 962;Probably SCRIPT.Virus;Incurable.Moved.;

msavsc.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;

msctrl.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;

msfw.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;

msiemon.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;

mssadv.dll;C:\WINDOWS;Trojan.Click.3334;Deleted.;

msscan.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;

Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;

10 Colour My World.m4a;D:\Documents and Settings\212043642\My Documents\My Music\iTunes\iTunes Music\Chicago\Chicago II;Modification of Trojan.DownLoader.8192;Moved.;

inst.exe;D:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;

 

 

Thanks

Share this post


Link to post
Share on other sites

Hi again,

 

Download

Deckard's System Scanner (formerly Comboscan)

http://www.geekstogo.com/forum/index.php?a...nload&id=19

to your Desktop.

  1. Close all applications and windows.
  2. Double-click on comboscan.exe to run it, and follow the prompts.
  3. When the scan is complete, a text file will open - ComboScan.txt
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.

jedi

Share this post


Link to post
Share on other sites

Thanks Jedi, here is the log file:

 

Deckard's System Scanner v20071014.68

Run by 212043642 on 2007-11-20 10:31:37

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

-- System Restore --------------------------------------------------------------

 

Successfully created a Deckard's System Scanner Restore Point.

 

 

-- Last 2 Restore Point(s) --

2: 2007-11-20 15:31:51 UTC - RP3 - Deckard's System Scanner Restore Point

1: 2007-11-20 13:12:14 UTC - RP2 - System Checkpoint

 

 

Backed up registry hives.

Performed disk cleanup.

 

 

 

-- HijackThis (run as 212043642.exe) -------------------------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:36, on 2007-11-20

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\SafeBoot\SBMGRNT.EXE

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

D:\Program Files\Lavasoft\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

c:\Program Files\CA\SC\CAM\bin\cam.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\Program Files\ENDFORCE\AgentAPI.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\UMCSTUB.EXE

C:\WINDOWS\Explorer.EXE

c:\Program Files\CA\DSM\bin\caf.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

c:\Program Files\CA\DSM\Bin\cfsmsmd.exe

c:\Program Files\CA\DSM\Bin\ccnfagent.exe

c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe

c:\Program Files\CA\DSM\Bin\ccsmagtd.exe

c:\Program Files\CA\DSM\Bin\amswmagt.exe

c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe

c:\Program Files\CA\DSM\Bin\cfftplugin.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\CA\DSM\bin\cfSysTray.exe

D:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe

C:\Program Files\iPod\bin\iPodService.exe

D:\Documents and Settings\212043642\Desktop\dss.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

D:\PROGRA~1\TRENDM~1\HIJACK~1\212043642.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon

O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"

O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"

O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = ?

O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe

O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com

O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01.ge.com/sametime/stmeet...gRoomClient.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.com/emedical_enu/19221/a...x_HI_Client.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111.mail.live.com/mail/re...es/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.com/emedical_enu/19221/a...tBound_mail.cab

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.com/emedical_enu/19221/a...Integration.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01.ge.com/sametime/stmeet...STJNILoader.cab

O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarplugin.themeetingson.com/...000RCOGN000.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.webex.com/client/T23L10NS...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe

O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe

O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe

O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 14142 bytes

 

-- File Associations -----------------------------------------------------------

 

All associations okay.

 

 

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

 

R0 aarich - c:\windows\system32\drivers\aarich.sys <Not Verified; Adaptec, Inc.; Adaptec hostRAID for Serial ATA>

R0 cercsr6 (DELL CERC SATA 1.5/6ch RAID Miniport Driver) - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>

R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>

R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys

R0 SBAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; Control Break International; SafeBoot Security System>

R1 awecho - c:\windows\system32\drivers\awechomd.sys <Not Verified; Symantec Corporation; pcAnywhere>

R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>

R1 efPktFtr (ENDFORCE Quarantine Filter) - c:\windows\system32\drivers\efpktftr.sys <Not Verified; ENDFORCE, Inc.; Endforce DNE Plugin>

R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; Control Break International; SafeBoot Security System>

R1 SBFlop - c:\windows\system32\drivers\sbflop.sys <Not Verified; Control Break International; SafeBoot Security System>

R1 SbPrcCtl - c:\windows\system32\drivers\sbprcctl.sys <Not Verified; Control Break International; SafeBoot Security System>

R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys

R4 black - c:\windows\system32\drivers\blackdrv.sys <Not Verified; Internet Security Systems, Inc.; ICEpac>

 

S3 HSFHWICH - c:\windows\system32\drivers\hsfhwich.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>

S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>

S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>

S4 a320raid - c:\windows\system32\drivers\a320raid.sys <Not Verified; Adaptec, Inc.; Adaptec hostRAID for Ultra320 SCSI>

S4 aac (PERC 320/DC SCSI RAID Miniport Driver) - c:\windows\system32\drivers\aac.sys <Not Verified; Adaptec, Inc.; Adaptec RAID Controller>

S4 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>

S4 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>

S4 vmscsi - c:\windows\system32\drivers\vmscsi.sys <Not Verified; VMware, Inc.; VMware, Inc. Script1 Application>

 

 

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

 

R2 AmoAgent (Asset Management Agent) - c:\windows\umcstub.exe <Not Verified; Computer Associates International, Inc.; Unicenter Asset Management>

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>

R2 BlackICE - "c:\program files\iss\isssensors\desktopprotection\blackd.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems Inc. blackd>

R2 CA-MessageQueuing (CA Message Queuing Server) - "c:\program files\ca\sc\cam\bin\cam.exe" <Not Verified; CA, Inc.; CA Message Queuing>

R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >

R2 ENDFORCE Agent API - "c:\program files\endforce\agentapi.exe" <Not Verified; ENDFORCE, Inc.; Agent API Module>

R2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>

R2 Lotus Notes Single Logon - c:\windows\system32\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>

R2 SafeBootConfigurationManager (SafeBoot Configuration Manager) - c:\program files\safeboot\sbmgrnt.exe <Not Verified; Control Break International; SafeBoot Security System>

 

S3 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>

S3 RapApp - "c:\program files\iss\isssensors\desktopprotection\rapapp.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems, Inc. Rap Protection System>

 

 

-- Device Manager: Disabled ----------------------------------------------------

 

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET00

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET00

Service: CVirtA

 

 

-- Scheduled Tasks -------------------------------------------------------------

 

2007-11-14 12:08:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

 

 

-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

 

2007-11-20 10:31:19 0 d-------- D:\Deckard

2007-11-19 22:14:08 0 d-------- D:\Documents and Settings\212043642\DoctorWeb

2007-11-15 13:48:46 0 d-------- D:\Documents and Settings\212043642\Application Data\GlarySoft

2007-11-14 12:29:08 0 d-------- C:\Program Files\iPod

2007-11-14 12:28:45 0 d--hs---- D:\Config.Msi

2007-11-10 17:01:03 4922 --a------ C:\WINDOWS\system32\tmp.reg

2007-11-10 17:00:40 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-11-10 17:00:40 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >

2007-11-10 17:00:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>

2007-11-10 17:00:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-10 15:05:41 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-09 10:34:20 3063 --a------ C:\WINDOWS\system32\m1ax1d1213216143v.exe

2007-11-07 08:14:17 0 d-------- C:\Program Files\Microsoft Security Adviser

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-11-20 08:06:26 0 d-------- C:\Program Files\Symantec AntiVirus

2007-11-20 08:06:00 0 d-------- C:\Program Files\ENDFORCE

2007-11-19 10:51:39 0 d-------- D:\Documents and Settings\212043642\Application Data\Skype

2007-11-19 08:49:51 0 d-------- C:\Program Files\Dl_cats

2007-11-15 13:43:08 0 d-------- C:\Program Files\MTBWIN

2007-11-15 13:43:08 0 d-------- C:\Program Files\Crystal Ball

2007-11-14 13:56:18 0 d-------- C:\Program Files\SafeBoot

2007-11-14 12:27:17 0 d-------- C:\Program Files\QuickTime

2007-11-10 16:41:54 0 d-------- C:\Program Files\Java

2007-11-10 15:04:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-10 14:47:46 0 d-------- D:\Documents and Settings\212043642\Application Data\Lavasoft

2007-11-10 14:38:49 0 d--h----- C:\Program Files\InstallShield Installation Information

2007-11-10 14:35:30 0 d-------- C:\Program Files\Canon

2007-11-09 18:24:03 0 d-------- C:\Program Files\Windows NT

2007-11-09 18:21:46 0 d-------- C:\Program Files\Windows Desktop Search

2007-11-09 18:16:32 0 d-------- C:\Program Files\MSN Messenger

2007-11-09 18:15:43 0 d--h----- C:\Program Files\Movie Maker

2007-11-09 18:13:05 0 d-------- C:\Program Files\Messenger

2007-11-09 18:10:26 0 d-------- C:\Program Files\Live Search Maps for Outlook

2007-11-09 18:02:32 0 d-------- C:\Program Files\Google

2007-11-09 17:57:25 0 d-------- C:\Program Files\Common Files\Symantec Shared

2007-11-09 17:51:36 0 d-------- C:\Program Files\Common Files\Logitech

2007-11-09 12:10:12 0 d-------- C:\Program Files\Apple Software Update

2007-11-09 12:09:54 0 d-------- C:\Program Files\Apoint

2007-11-09 12:09:26 0 d-------- C:\Program Files\AOD

2007-11-09 12:07:00 0 d-------- C:\Program Files\2340_Fiberlink

2007-11-07 08:26:30 0 d-------- C:\Program Files\AIM6

2007-11-05 19:11:30 0 d-------- D:\Documents and Settings\212043642\Application Data\Canon

2007-11-05 00:05:18 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2007-10-22 19:22:10 0 d-------- D:\Documents and Settings\212043642\Application Data\Google

2007-09-20 01:24:24 0 d-------- D:\Documents and Settings\212043642\Application Data\Paltalk

2007-09-07 11:50:34 65096 --a------ D:\Documents and Settings\212043642\Application Data\GDIPFONTCACHEV1.DAT

2007-08-28 13:42:31 224 --a------ C:\WINDOWS\system32\tbhi.dat

 

 

-- Registry Dump ---------------------------------------------------------------

 

*Note* empty entries & legit default entries are not shown

 

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 16:35 C:\WINDOWS\stsystra.exe]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-02 11:00]

"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 21:39]

"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]

"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]

"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 11:33]

"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 15:06]

"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-02-01 10:54]

"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-06 16:04]

"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-02 18:33]

"DsmSxplog"="c:\Program Files\CA\DSM\Bin\sxpstub.exe" [2007-03-03 15:07]

"CAF_SystemTray"="c:\Program Files\CA\DSM\bin\cfSysTray.exe" [2007-03-03 12:30]

"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 12:55]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]

"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-02 11:00]

 

D:\Documents and Settings\212043642\Start Menu\Programs\Startup\

Infotriever.lnk - C:\Program Files\Infotriever\Agent\infoclient.exe [2007-02-15 09:29:43]

Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

 

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-10-05 11:14:32]

HotSync Manager.lnk - D:\Program Files\palmone\Hotsync.exe [2004-06-09 14:16:08]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-14 06:01:04]

Mobile Suite Client.lnk - C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe [2007-02-13 20:50:16]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"SB_NoDispScrSavPage"=0 (0x0)

"NoDispScrSavPage"=0 (0x0)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispScrSavPage"=0 (0x0)

"SB_NoDispScrSavPage"=0 (0x0)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

"2"=\\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoWindowsUpdate"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]

c:\Program Files\CA\DSM\Bin\cfwlogon.dll 2007-03-03 12:30 27664 c:\Program Files\CA\DSM\Bin\cfWlogon.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ppeclt]

PPEClt.dll 2005-05-25 04:00 163840 C:\WINDOWS\system32\PPEClt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\]

"Script"=Workstation_Startup_Script.vbs

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

 

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{270f82ac-ff18-11db-915e-0015c548d277}]

AutoRun\command- F:\setupSNK.exe

 

*Newly Created Service* - IG40WNT

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub

 

 

 

-- End of Deckard's System Scanner: finished at 2007-11-20 10:37:03 ------------

Share this post


Link to post
Share on other sites

Hi again,

 

* Download Killbox.

Click killbox.exe.

Select the option "Delete on reboot".

Click the button: All Files (!important!)

Now it should flash green.

 

Now copy the next bold part:

 

C:\WINDOWS\system32\tmp.reg

C:\WINDOWS\system32\WS2Fix.exe

C:\WINDOWS\system32\m1ax1d1213216143v.exe

 

Open 'file' in the killboxmenu on top and choose Paste from clipboard

 

Then press the button that looks like a red circle with a white X in it.

Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES

If you don't get that message, reboot manually.

 

Your computer should reboot now.

 

Next:

 

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-secure.com/enu/home/ols.shtml

 

Scroll to the bottom of the page, and click Start Scan.

 

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

 

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

 

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

 

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

 

Then copy and paste that information into this thread.

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi,

 

All recommended actions performed - here is the result of the F-Secure scan.

 

----------------------------------------------------------

 

Scanning Report

Tuesday, November 20, 2007 11:35:24 - 16:05:35

Computer name: USHC854TQB1L

Scanning type: Scan system for viruses, rootkits, spyware

Target: C:\ D:\

 

 

--------------------------------------------------------------------------------

 

Result: 35 malware found

Tracking Cookie (spyware)

System (Disinfected)

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

System

W32/Jesta.A (virus)

C:\WINDOWS\jestertb.dll (Submitted)

 

--------------------------------------------------------------------------------

 

Statistics

Scanned:

Files: 205976

System: 5453

Not scanned: 85

Actions:

Disinfected: 1

Renamed: 0

Deleted: 0

None: 34

Submitted: 1

Files not scanned:

xނ?ӁAGEFILE.SYS

C:\WINDOWS\SYSTEM32\DRIVERS\SAFEBOOT.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\SUPPORT\Software\PKZIP_V5\pkzip v5.0_GEHC.exe\pkzs\Self-Extractors\pksfx500.msi\stream 8\F1046_Pksfxs.dat\WIN32_X86_G500

\\?\C:\SUPPORT\DRV\D620\Comm\R120225\Utility\config.bin\profiles.xml

C:\SUPPORT\DRV\D620\Comm\R120225\Utility\systemid.zip\SystemID.txt

\\?\C:\SUPPORT\DRV\D620\Comm\R118082\Utility\config.bin\profiles.xml

C:\SUPPORT\DRV\D620\Comm\R118082\Utility\systemid.zip\SystemID.txt

\\?\C:\SUPPORT\DRV\D620\Comm\R118077\Utility\config.bin\profiles.xml

C:\SUPPORT\DRV\D620\Comm\R118077\Utility\systemid.zip\SystemID.txt

\\?\C:\DRV\D620\Comm\R120225\Utility\config.bin\profiles.xml

C:\DRV\D620\Comm\R120225\Utility\systemid.zip\SystemID.txt

\\?\C:\DRV\D620\Comm\R118082\Utility\config.bin\profiles.xml

C:\DRV\D620\Comm\R118082\Utility\systemid.zip\SystemID.txt

\\?\C:\DRV\D620\Comm\R118077\Utility\config.bin\profiles.xml

C:\DRV\D620\Comm\R118077\Utility\systemid.zip\SystemID.txt

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip\vx.tll

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop1.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer1.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify1.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify2.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify3.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify4.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify5.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled2.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled3.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled4.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled5.zip\sbRecovery.reg

D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisabled.zip\sbRecovery.reg

--------------------------------------------------------------------------------

 

Options

Scanning engines:

F-Secure Libra: 2.4.2, 2007-11-19

F-Secure AVP: 7.0.171, 2007-11-20

F-Secure Orion: 1.2.37, 2007-11-20

F-Secure Blacklight: 1.0.64

F-Secure Draco: 1.0.35, 2007-10-30

F-Secure Pegasus: 1.19.0, 2007-10-18

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX

Scan inside archives

Use Advanced heuristics

 

--------------------------------------------------------------------------------

 

Copyright © 1998-2006 Product support |Send virus sample to F-Secure

F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Share this post


Link to post
Share on other sites

Hi again,

 

Please try running a new version of Combofix again,

 

1. Download this file -

ComboFix

2. Double click ComboFix.exe & follow the prompts.

3. When finished, it will produce a log for you. Post that log in your next reply

 

Note:

Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi, here is the combofix log:

 

-----------------------

 

ComboFix 07-11-19.3 - 212043642 2007-11-21 21:36:48.3 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.394 [GMT -5:00]

Running from: D:\Documents and Settings\212043642\Desktop\ComboFix.exe

.

 

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))

.

 

2007-11-21 08:37 1,494,528 -----c--- C:\WINDOWS\system32\dllcache\shdocvw.dll

2007-11-21 08:37 658,944 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll

2007-11-21 08:37 615,424 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll

2007-11-21 08:37 474,112 -----c--- C:\WINDOWS\system32\dllcache\shlwapi.dll

2007-11-21 08:37 39,424 -----c--- C:\WINDOWS\system32\dllcache\pngfilt.dll

2007-11-19 22:14 <DIR> d-------- D:\Documents and Settings\212043642\DoctorWeb

2007-11-15 13:48 <DIR> d-------- D:\Documents and Settings\212043642\Application Data\GlarySoft

2007-11-14 12:41 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll

2007-11-14 12:29 <DIR> d-------- C:\Program Files\iPod

2007-11-10 17:01 0 --a------ C:\WINDOWS\system32\tmp.txt

2007-11-10 17:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-11-10 17:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe

2007-11-10 17:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe

2007-11-10 16:41 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-10 16:41 5,329 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log

2007-11-10 15:05 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft

2007-11-02 01:38 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL

2007-11-02 01:38 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL

2007-11-02 01:38 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-22 02:12 --------- d-----w C:\Program Files\Symantec AntiVirus

2007-11-22 02:11 --------- d-----w C:\Program Files\ENDFORCE

2007-11-21 14:36 --------- d-----w C:\Program Files\SafeBoot

2007-11-19 15:51 --------- d-----w D:\Documents and Settings\212043642\Application Data\Skype

2007-11-19 13:49 --------- d-----w C:\Program Files\Dl_cats

2007-11-15 18:43 --------- d-----w C:\Program Files\MTBWIN

2007-11-15 18:43 --------- d-----w C:\Program Files\Crystal Ball

2007-11-14 17:27 --------- d-----w C:\Program Files\QuickTime

2007-11-10 21:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-10 21:41 --------- d-----w C:\Program Files\Java

2007-11-10 20:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-11-10 19:47 --------- d-----w D:\Documents and Settings\212043642\Application Data\Lavasoft

2007-11-10 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information

2007-11-10 19:35 --------- d-----w C:\Program Files\Canon

2007-11-09 23:21 --------- d-----w C:\Program Files\Windows Desktop Search

2007-11-09 23:16 --------- d-----w C:\Program Files\MSN Messenger

2007-11-09 23:10 --------- d-----w C:\Program Files\Live Search Maps for Outlook

2007-11-09 23:02 --------- d-----w C:\Program Files\Google

2007-11-09 22:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2007-11-09 22:51 --------- d-----w C:\Program Files\Common Files\Logitech

2007-11-09 17:10 --------- d-----w C:\Program Files\Apple Software Update

2007-11-09 17:09 --------- d-----w C:\Program Files\Apoint

2007-11-09 17:09 --------- d-----w C:\Program Files\AOD

2007-11-09 17:07 --------- d-----w C:\Program Files\2340_Fiberlink

2007-11-07 13:26 --------- d-----w C:\Program Files\AIM6

2007-11-06 00:11 --------- d-----w D:\Documents and Settings\212043642\Application Data\Canon

2007-11-04 20:01 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs

2007-09-07 16:50 65,096 ----a-w D:\Documents and Settings\212043642\Application Data\GDIPFONTCACHEV1.DAT

2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

 

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 396 2007-11-22 02:12:14 C:\CLIENTUS\212043642\BAK\NCUSER.mnv

----a-w 396 2007-11-22 02:12:13 C:\CLIENTUS\212043642\NCUSER.mnv

 

----a-w 412 2007-05-08 12:53:04 C:\CLIENTUS\212043642\BAK\UMDAT.DIF

 

----a-w 15,965 2007-11-21 13:20:26 C:\CLIENTWS\BAK\amapp.dat

 

----a-w 2,744 2007-11-22 02:13:31 C:\CLIENTWS\BAK\Compliance.mnv

----a-w 2,744 2007-11-22 02:13:31 C:\CLIENTWS\Compliance.mnv

 

----a-w 25,561 2007-11-22 02:13:31 C:\CLIENTWS\BAK\IG40.INV

----a-w 25,561 2007-11-22 02:13:28 C:\CLIENTWS\IG40.INV

 

----a-w 721 2007-11-22 02:13:31 C:\CLIENTWS\BAK\NCWORK.mnv

----a-w 721 2007-11-22 02:13:31 C:\CLIENTWS\NCWORK.mnv

 

----a-w 1,620 2007-11-22 02:13:31 C:\CLIENTWS\BAK\security.MNV

----a-w 1,620 2007-11-22 02:13:31 C:\CLIENTWS\security.MNV

 

----a-w 823 2007-11-22 02:13:32 C:\CLIENTWS\BAK\UMDAT.DIF

 

----a-w 75,650 2007-11-21 13:20:08 C:\CLIENTWS\BAK\UMISW.DAT

 

----a-r 176,128 2005-10-07 20:13:38 C:\Program Files\Apoint\bak\Apoint.exe

 

----a-w 3,104 2007-11-21 17:45:06 C:\Program Files\CA\DSM\Agent\units\00000001\BAK\basic.inv

----a-w 3,104 2007-11-21 17:45:06 C:\Program Files\CA\DSM\Agent\units\00000001\basic.inv

 

----a-w 30,393 2007-11-21 17:49:36 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\amsoft.xml

 

----a-w 2,961 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\Compliance.mnv

----a-w 2,961 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\Compliance.mnv

 

----a-w 14,130 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\ENDForce.INV

----a-w 14,130 2007-11-21 17:45:39 C:\Program Files\CA\DSM\Agent\units\00000001\uam\ENDForce.INV

 

----a-w 608 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\GEHCInventory.mnv

----a-w 608 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\GEHCInventory.mnv

 

----a-w 46,989 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\IG40.INV

----a-w 46,989 2007-11-21 17:45:27 C:\Program Files\CA\DSM\Agent\units\00000001\uam\IG40.INV

 

----a-w 289 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\PERF.INV

----a-w 289 2007-05-23 13:02:11 C:\Program Files\CA\DSM\Agent\units\00000001\uam\PERF.INV

 

----a-w 788 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\Security.mnv

----a-w 788 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\Security.mnv

 

----a-w 45,056 2003-03-07 08:04:00 C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe

----a-w 45,056 2003-03-06 21:04:00 C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE

 

----a-w 81,920 2004-07-27 20:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

 

----a-w 221,184 2004-07-27 20:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

 

----a-w 192,591 2003-09-03 17:33:58 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe

----a-w 192,591 2003-09-02 23:33:58 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE

 

----a-w 44,544 2001-01-09 17:01:14 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe

 

----a-w 48,752 2005-10-04 18:42:40 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 48,800 2005-12-21 16:33:28 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

 

----a-w 1,174,528 2006-07-11 12:23:50 C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe

----a-w 1,174,528 2006-07-11 11:23:50 C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

 

----a-w 49,152 2005-12-10 00:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

 

----a-w 1,626,112 2006-01-11 01:16:54 C:\Program Files\ENDFORCE\bak\AgntTray.exe

 

----a-w 171,448 2007-01-25 18:54:46 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

 

----a-w 75,520 2006-12-15 08:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

 

----a-w 67,128 2007-02-27 02:30:59 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

 

----a-w 489,472 2005-12-07 14:26:30 C:\Program Files\Logitech\Video\bak\CameraAssistant.exe

 

----a-w 73,728 2005-12-07 14:33:16 C:\Program Files\Logitech\Video\bak\InstallHelper.exe

 

----a-w 282,624 2006-10-25 23:58:18 C:\Program Files\QuickTime\bak\qttask.exe

----a-w 286,720 2007-10-20 01:16:26 C:\Program Files\QuickTime\QTTask.exe

 

----a-w 85,744 2005-11-15 19:28:04 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

----a-w 85,744 2006-05-27 20:06:20 C:\Program Files\Symantec AntiVirus\VPTray.exe

 

----a-w 208,952 2004-08-02 16:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE

----a-w 208,952 2004-08-02 16:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

 

----a-w 45,056 2003-03-07 08:04:00 C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe

 

----a-w 15,360 2004-08-02 16:00:00 C:\WINDOWS\system32\bak\ctfmon.exe

----a-w 15,360 2004-08-02 16:00:00 C:\WINDOWS\system32\ctfmon.exe

 

----a-w 262,144 2004-11-01 21:22:22 C:\WINDOWS\system32\bak\ElkCtrl.exe

 

----a-w 77,824 2005-12-13 23:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

 

----a-w 118,784 2005-12-13 23:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

 

----a-w 98,304 2005-12-13 23:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

 

----a-w 225,280 2005-12-09 19:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

 

----a-w 1,347,584 2005-12-19 15:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

 

----a-w 122,940 2005-09-08 09:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

 

----a-w 59,392 2002-08-29 02:39:06 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe

----a-w 59,392 2002-08-29 02:39:06 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

 

----a-w 455,168 2002-08-29 02:39:50 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE

----a-w 455,168 2002-08-29 02:39:50 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

 

----a-w 107,008 2006-07-14 20:36:57 D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe

 

----a-w 49,152 2006-02-19 07:41:10 D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

----a-w 49,152 2006-02-19 06:41:10 D:\Program Files\HP\HP Software Update\hpwuSchd2.exe

 

----a-w 256,576 2006-10-30 14:36:36 D:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 267,048 2007-11-02 23:36:42 D:\Program Files\iTunes\iTunesHelper.exe

 

----a-w 341,504 2006-07-11 12:24:42 D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe

----a-w 341,504 2006-07-11 11:24:42 D:\Program Files\TiVo\Desktop\TiVoNotify.exe

 

----a-w 1,313,792 2006-07-11 12:26:52 D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe

----a-w 1,313,792 2006-07-11 11:26:52 D:\Program Files\TiVo\Desktop\TiVoServer.exe

 

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-02 11:00]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 16:35 C:\WINDOWS\stsystra.exe]

"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-02 11:00]

"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 21:39]

"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]

"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]

"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 11:33]

"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 15:06]

"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-02-01 10:54]

"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-06 16:04]

"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-02 18:33]

"DsmSxplog"="c:\Program Files\CA\DSM\Bin\sxpstub.exe" [2007-03-03 15:07]

"CAF_SystemTray"="c:\Program Files\CA\DSM\bin\cfSysTray.exe" [2007-03-03 12:30]

"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 12:55]

"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]

"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-02 11:00]

 

D:\Documents and Settings\212043642\Start Menu\Programs\Startup\

Infotriever.lnk - C:\Program Files\Infotriever\Agent\infoclient.exe [2007-02-15 09:29:43]

Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

 

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-10-05 11:14:32]

HotSync Manager.lnk - D:\Program Files\palmone\Hotsync.exe [2004-06-09 14:16:08]

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-14 06:01:04]

Mobile Suite Client.lnk - C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe [2007-02-13 20:50:16]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"SB_NoDispScrSavPage"= 0 (0x0)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"NoDispScrSavPage"= 0 (0x0)

"SB_NoDispScrSavPage"= 0 (0x0)

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoWindowsUpdate"= 1 (0x1)

 

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]

c:\Program Files\CA\DSM\Bin\cfwlogon.dll 2007-03-03 12:30 27664 c:\Program Files\CA\DSM\Bin\cfWlogon.dll

c:\WINDOWS\system32\NavLogon.dll 2006-05-27 15:06 43760 c:\WINDOWS\system32\NavLogon.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]

PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ppeclt]

PPEClt.dll 2005-05-25 04:00 163840 C:\WINDOWS\system32\PPEClt.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]

"Script"=Workstation_Startup_Script.vbs

 

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys

R0 megasas;DELL PERC RAID Driver;C:\WINDOWS\system32\drivers\megasas.sys

R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys

R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys

R1 efPktFtr;ENDFORCE Quarantine Filter;\??\c:\WINDOWS\System32\Drivers\efPktFtr.sys

R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys

R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys

R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys

R2 caf;CA DSM r11 Common Application Framework.;"c:\Program Files\CA\DSM\bin\caf.exe" service

R2 ENDFORCE Agent API;ENDFORCE Agent API;"c:\Program Files\ENDFORCE\AgentAPI.exe"

R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE

R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service

R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys

R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys

R4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys

S3 RapFile;RapFile;\??\C:\WINDOWS\System32\drivers\RapFile.sys

S3 RapNet;RapNet;\??\C:\WINDOWS\System32\drivers\RapNet.sys

S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys

S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys

S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{270f82ac-ff18-11db-915e-0015c548d277}]

\Shell\AutoRun\command - F:\setupSNK.exe

 

*Newly Created Service* - IG40WNT

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]

rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub

.

Contents of the 'Scheduled Tasks' folder

"2007-11-21 17:08:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

 

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-21 21:38:34

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2007-11-21 21:41:34

C:\ComboFix2.txt ... 2007-11-21 18:18

.

--- E O F ---

Share this post


Link to post
Share on other sites

Hi again,

 

That was useful, it shows you have a file-infector virus, which we will now start to remove:

 

Please download FindAWF:

http://noahdfear.net/downloads/FindAWF.exe

 

Save the file to the Desktop

Double-click the FindAWF icon.

 

If a Security Alert shows, allow the program to run.

As instructed, press any key to continue.

Use the following option: Press 2 then Enter to restore files from bak folders

 

A text file opens called: files.txt

Click below the line and paste the following list of files to be restored:

 

C:\CLIENTUS\212043642\BAK\NCUSER.mnv

C:\CLIENTUS\212043642\BAK\UMDAT.DIF

C:\CLIENTWS\BAK\amapp.dat

C:\CLIENTWS\BAK\Compliance.mnv

C:\CLIENTWS\BAK\IG40.INV

C:\CLIENTWS\BAK\NCWORK.mnv

C:\CLIENTWS\BAK\security.MNV

C:\CLIENTWS\security.MNV

C:\CLIENTWS\BAK\UMDAT.DIF

C:\CLIENTWS\BAK\UMISW.DAT

C:\Program Files\Apoint\bak\Apoint.exe

C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV

C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv

C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe

C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe

C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe

C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe

C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

C:\Program Files\ENDFORCE\bak\AgntTray.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

C:\Program Files\Logitech\Video\bak\CameraAssistant.exe

C:\Program Files\Logitech\Video\bak\InstallHelper.exe

C:\Program Files\QuickTime\bak\qttask.exe

C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE

C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe

C:\WINDOWS\system32\bak\ctfmon.exe

C:\WINDOWS\system32\bak\ElkCtrl.exe

C:\WINDOWS\system32\bak\hkcmd.exe

C:\WINDOWS\system32\bak\igfxpers.exe

C:\WINDOWS\system32\bak\igfxtray.exe

C:\WINDOWS\system32\bak\LVCOMSX.EXE

C:\WINDOWS\system32\bak\WLTRAY.exe

C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe

C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE

D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe

D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

D:\Program Files\iTunes\bak\iTunesHelper.exe

D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe

D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe

 

Next, close and click Yes to save the changes.

 

Once files.txt is saved, FindAWF does the following:

-It attempts to terminate the process represented by each filename on the list, if running

-Deletes the rogue file from the parent folder, if present

-Copies the original file to the parent folder

 

When done with the above, it automatically runs a new scan and opens a new log.

Please provide the new FindAWF log in your reply.

 

jedi

Share this post


Link to post
Share on other sites

Thanks Jedi, here is the FindAWF log:

 

----------------------------

 

 

Find AWF report by noahdfear ©2006

Version 1.40

Option 2 run successfully

 

The current date is: 2007-11-22

The current time is: 12:48:27.26

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\CLIENTWS\BAK

 

2007-11-22 11:57 16,054 amapp.dat

2007-11-22 11:58 2,744 Compliance.mnv

2007-11-22 11:58 25,563 IG40.INV

2007-11-22 11:58 721 NCWORK.mnv

2007-11-22 11:58 1,620 security.MNV

2007-11-22 11:58 734 UMDAT.DIF

2007-11-22 11:57 75,734 UMISW.DAT

7 File(s) 123,170 bytes

 

Directory of C:\CLIENTUS\212043~1\BAK

 

2007-11-22 11:55 396 NCUSER.mnv

2007-05-08 07:53 412 UMDAT.DIF

2 File(s) 808 bytes

 

Directory of C:\PROGRA~1\APOINT\BAK

 

2005-10-07 15:13 176,128 Apoint.exe

1 File(s) 176,128 bytes

 

Directory of C:\PROGRA~1\ENDFORCE\BAK

 

2006-01-10 20:16 1,626,112 AgntTray.exe

1 File(s) 1,626,112 bytes

 

Directory of C:\PROGRA~1\MSNMES~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

2006-10-25 18:58 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\PROGRA~1\SAFEBOOT\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\SYMANT~1\BAK

 

2005-11-15 14:28 85,744 VPTray.exe

1 File(s) 85,744 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

2004-08-02 11:00 15,360 ctfmon.exe

2004-11-01 16:22 262,144 ElkCtrl.exe

2005-12-13 18:41 77,824 hkcmd.exe

2005-12-13 18:45 118,784 igfxpers.exe

2005-12-13 18:44 98,304 igfxtray.exe

2005-12-09 14:32 225,280 LVCOMSX.EXE

2005-12-19 10:08 1,347,584 WLTRAY.exe

7 File(s) 2,145,280 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

2005-10-04 13:42 48,752 ccApp.exe

1 File(s) 48,752 bytes

 

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

 

2005-12-09 19:29 49,152 DVDLauncher.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

 

2005-12-07 09:26 489,472 CameraAssistant.exe

2005-12-07 09:33 73,728 InstallHelper.exe

2 File(s) 563,200 bytes

 

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

 

2004-08-02 11:00 208,952 IMJPMIG.EXE

1 File(s) 208,952 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

2005-09-08 04:20 122,940 DLACTRLW.EXE

1 File(s) 122,940 bytes

 

Directory of C:\PROGRA~1\CA\UNICEN~2\AGENTS\BAK

 

2003-03-07 03:04 45,056 amagent.exe

1 File(s) 45,056 bytes

 

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

 

2004-07-27 15:50 81,920 issch.exe

2004-07-27 15:50 221,184 ISUSPM.exe

2 File(s) 303,104 bytes

 

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

 

2006-07-11 07:23 1,174,528 TiVoTransfer.exe

1 File(s) 1,174,528 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

 

2007-01-25 13:54 171,448 GoogleToolbarNotifier.exe

1 File(s) 171,448 bytes

 

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

 

2006-12-15 03:23 75,520 jusched.exe

1 File(s) 75,520 bytes

 

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

 

2002-08-28 21:39 59,392 ImScInst.exe

1 File(s) 59,392 bytes

 

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

 

2002-08-28 21:39 455,168 TINTSETP.EXE

1 File(s) 455,168 bytes

 

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP\BAK

 

2003-09-03 12:33 192,591 imjpmig.exe

1 File(s) 192,591 bytes

 

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMKR\BAK

 

2001-01-09 12:01 44,544 imekrmig.exe

1 File(s) 44,544 bytes

 

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

 

2007-02-26 21:30 67,128 LogitechDesktopMessenger.exe

1 File(s) 67,128 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\BAK

 

2007-11-21 12:45 3,104 basic.inv

1 File(s) 3,104 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\UAM\BAK

 

2007-11-21 12:49 30,393 amsoft.xml

2007-11-21 12:49 2,961 Compliance.mnv

2007-11-21 12:49 14,130 ENDForce.INV

2007-11-21 12:49 608 GEHCInventory.mnv

2007-11-21 12:49 46,989 IG40.INV

2007-11-21 12:49 289 PERF.INV

2007-11-21 12:49 788 Security.mnv

7 File(s) 96,158 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000003\UAM\BAK

 

0 File(s) 0 bytes

 

Directory of C:\WINDOWS\OPTIONS\PACKAGES\COREAPPS\ITAMAG~1\UAM\BACKUP\AGENTS\BAK

 

2003-03-07 03:04 45,056 amagent.exe

1 File(s) 45,056 bytes

 

Directory of D:\PROGRA~1\EFAXME~1.2\BAK

 

2006-07-14 15:36 107,008 J2GDllCmd.exe

1 File(s) 107,008 bytes

 

Directory of D:\PROGRA~1\ITUNES\BAK

 

2006-10-30 09:36 256,576 iTunesHelper.exe

1 File(s) 256,576 bytes

 

Directory of D:\PROGRA~1\HP\HPSOFT~1\BAK

 

2006-02-19 02:41 49,152 HPWuSchd2.exe

1 File(s) 49,152 bytes

 

Directory of D:\PROGRA~1\TIVO\DESKTOP\BAK

 

2006-07-11 07:24 341,504 TiVoNotify.exe

2006-07-11 07:26 1,313,792 TiVoServer.exe

2 File(s) 1,655,296 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

16054 Nov 22 2007 "C:\CLIENTWS\amapp.dat"

16054 Nov 22 2007 "C:\CLIENTWS\BAK\amapp.dat"

2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"

2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"

25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"

25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"

721 Nov 22 2007 "C:\CLIENTWS\NCWORK.mnv"

721 Nov 22 2007 "C:\CLIENTWS\BAK\NCWORK.mnv"

1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"

1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"

734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"

734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"

75734 Nov 22 2007 "C:\CLIENTWS\UMISW.DAT"

75734 Nov 22 2007 "C:\CLIENTWS\BAK\UMISW.DAT"

396 Nov 22 2007 "C:\CLIENTUS\212043642\NCUSER.mnv"

396 Nov 22 2007 "C:\CLIENTUS\212043642\BAK\NCUSER.mnv"

734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"

734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"

176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"

176128 Oct 7 2005 "C:\DRV\D620\Input\R113813\Apoint.exe"

176128 Oct 7 2005 "C:\SUPPORT\DRV\D620\Input\R113813\Apoint.exe"

1626112 Jan 10 2006 "C:\Program Files\ENDFORCE\bak\AgntTray.exe"

286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"

282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

85744 May 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"

85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"

15360 Aug 2 2004 "C:\WINDOWS\system32\ctfmon.exe"

15360 Aug 2 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"

8192 Feb 21 2001 "C:\SUPPORT\Base_Applications\Officexp\Base\Files\System\Ctfmon.exe"

8192 Feb 21 2001 "C:\SUPPORT\Software\MSOutlook\English\Files\System\Ctfmon.exe"

262144 Nov 1 2004 "C:\WINDOWS\system32\ElkCtrl.exe"

262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"

77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe"

77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"

77824 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\hkcmd.exe"

118784 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\hkcmd.exe"

77824 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\hkcmd.exe"

118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe"

118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"

118784 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxpers.exe"

118784 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxpers.exe"

98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe"

98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"

98304 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxtray.exe"

155648 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\igfxtray.exe"

98304 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxtray.exe"

225280 Dec 9 2005 "C:\WINDOWS\system32\LVCOMSX.EXE"

225280 Dec 9 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"

1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe"

1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe"

1347584 Dec 19 2005 "C:\DRV\D620\Network\R115321\wltray.exe"

1347584 Dec 19 2005 "C:\SUPPORT\DRV\D620\Network\R115321\wltray.exe"

48800 Dec 21 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

489472 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"

233472 Nov 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe"

106496 Nov 1 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe"

372736 Mar 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\CameraLauncherDVC.exe"

73728 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"

147456 Jul 14 2005 "C:\SUPPORT\Base_Applications\VPN_Client\CiscoVPNClient\installservice.exe"

15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"

28672 Sep 23 2005 "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

173736 Feb 24 2007 "D:\Deckard\System Scanner\backup\WINDOWS\temp\Installer.exe"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"

192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"

192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"

122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"

122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"

122940 Sep 8 2005 "C:\Program Files\Roxio\Creator Plus-Dell Edition\DLA\install\dlactrlw.exe"

45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"

45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"

45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"

81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"

1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"

52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"

69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"

26694 Oct 22 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"

171448 Jan 25 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"

59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"

59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"

455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"

455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"

192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"

192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"

44032 Aug 23 2001 "C:\WINDOWS\ime\imkr6_1\imekrmig.exe"

44544 Jan 9 2001 "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe"

81920 Dec 6 2005 "C:\Program Files\Logitech\Video\LogitechUpdate.exe"

67128 Feb 26 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"

3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\basic.inv"

3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv"

30393 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml"

2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"

2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"

14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\ENDForce.INV"

14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV"

608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\GEHCInventory.mnv"

608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv"

25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"

25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"

289 May 23 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\PERF.INV"

289 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV"

1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"

1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"

45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"

45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"

45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"

107008 Jul 14 2006 "D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"

102400 Nov 14 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"

267048 Nov 2 2007 "D:\Program Files\iTunes\iTunesHelper.exe"

256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"

116008 Nov 14 2007 "D:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"

49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\hpwuSchd2.exe"

49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"

341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoNotify.exe"

341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"

1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoServer.exe"

1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Hi again,

 

Double-click the FindAWF icon once again

 

If a Security Alert shows, allow the program to run.

As instructed, press any key to continue.

Use the following option: Press 3 then Enter to remove bak folders

 

A text file opens called: folders.txt

Click below the line and paste the following list of folders to be removed:

 

C:\CLIENTWS\BAK\amapp.dat

C:\CLIENTWS\BAK\Compliance.mnv

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Compliance.mnv

C:\CLIENTWS\BAK\IG40.INV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\IG40.INV

C:\CLIENTWS\BAK\NCWORK.mnv

C:\CLIENTWS\BAK\security.MNV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Security.mnv

C:\CLIENTWS\BAK\UMDAT.DIF

C:\CLIENTUS\212043642\BAK\UMDAT.DIF

C:\CLIENTWS\BAK\UMISW.DAT

C:\CLIENTUS\212043642\BAK\NCUSER.mnv

C:\CLIENTWS\BAK\UMDAT.DIF

C:\CLIENTUS\212043642\BAK\UMDAT.DIF

C:\Program Files\Apoint\bak\Apoint.exe

C:\Program Files\ENDFORCE\bak\AgntTray.exe

C:\Program Files\QuickTime\bak\qttask.exe

C:\Program Files\Symantec AntiVirus\bak\VPTray.exe

C:\WINDOWS\system32\bak\ctfmon.exe

C:\WINDOWS\system32\bak\ElkCtrl.exe

C:\WINDOWS\system32\bak\hkcmd.exe

C:\WINDOWS\system32\bak\igfxpers.exe

C:\WINDOWS\system32\bak\igfxtray.exe

C:\WINDOWS\system32\bak\LVCOMSX.EXE

C:\WINDOWS\system32\bak\WLTRAY.exe

C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe

C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

C:\Program Files\Logitech\Video\bak\CameraAssistant.exe

C:\Program Files\Logitech\Video\bak\InstallHelper.exe

C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE

C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe

C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe

C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe

C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe

C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE

C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE

C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe

C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe

C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

C:\Program Files\CA\DSM\Agent\units�000001\BAK\basic.inv

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\amsoft.xml

C:\CLIENTWS\BAK\Compliance.mnv

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Compliance.mnv

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\ENDForce.INV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\GEHCInventory.mnv

C:\CLIENTWS\BAK\IG40.INV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\IG40.INV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\PERF.INV

C:\CLIENTWS\BAK\security.MNV

C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Security.mnv

C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe

C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe

D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe

D:\Program Files\iTunes\bak\iTunesHelper.exe

D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe

D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe

D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe

 

Next, close and click Yes to save the changes.

 

Once folders.txt is saved, FindAWF does the following:

-It deletes the contents of the bak folders

-Removes the bak folders

 

When done with the above, it automatically runs a new scan and opens a new log.

Please provide the new FindAWF log in your reply.

 

jedi

Share this post


Link to post
Share on other sites

Hi again, and here is the latest log:

 

------------------------------------

 

 

Find AWF report by noahdfear ©2006

Version 1.40

Option 3 run successfully

 

The current date is: 2007-11-22

The current time is: 13:34:41.29

 

 

bak folders found

~~~~~~~~~~~

 

 

Directory of C:\CLIENTWS\BAK

 

2007-11-22 11:57 16,054 amapp.dat

2007-11-22 11:58 2,744 Compliance.mnv

2007-11-22 11:58 25,563 IG40.INV

2007-11-22 11:58 721 NCWORK.mnv

2007-11-22 11:58 1,620 security.MNV

2007-11-22 11:58 734 UMDAT.DIF

2007-11-22 11:57 75,734 UMISW.DAT

7 File(s) 123,170 bytes

 

Directory of C:\CLIENTUS\212043~1\BAK

 

2007-11-22 11:55 396 NCUSER.mnv

2007-05-08 07:53 412 UMDAT.DIF

2 File(s) 808 bytes

 

Directory of C:\PROGRA~1\APOINT\BAK

 

2005-10-07 15:13 176,128 Apoint.exe

1 File(s) 176,128 bytes

 

Directory of C:\PROGRA~1\ENDFORCE\BAK

 

2006-01-10 20:16 1,626,112 AgntTray.exe

1 File(s) 1,626,112 bytes

 

Directory of C:\PROGRA~1\MSNMES~1\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\QUICKT~1\BAK

 

2006-10-25 18:58 282,624 qttask.exe

1 File(s) 282,624 bytes

 

Directory of C:\PROGRA~1\SAFEBOOT\BAK

 

0 File(s) 0 bytes

 

Directory of C:\PROGRA~1\SYMANT~1\BAK

 

2005-11-15 14:28 85,744 VPTray.exe

1 File(s) 85,744 bytes

 

Directory of C:\WINDOWS\SYSTEM32\BAK

 

2004-08-02 11:00 15,360 ctfmon.exe

2004-11-01 16:22 262,144 ElkCtrl.exe

2005-12-13 18:41 77,824 hkcmd.exe

2005-12-13 18:45 118,784 igfxpers.exe

2005-12-13 18:44 98,304 igfxtray.exe

2005-12-09 14:32 225,280 LVCOMSX.EXE

2005-12-19 10:08 1,347,584 WLTRAY.exe

7 File(s) 2,145,280 bytes

 

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

 

2005-10-04 13:42 48,752 ccApp.exe

1 File(s) 48,752 bytes

 

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

 

2005-12-09 19:29 49,152 DVDLauncher.exe

1 File(s) 49,152 bytes

 

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

 

2005-12-07 09:26 489,472 CameraAssistant.exe

2005-12-07 09:33 73,728 InstallHelper.exe

2 File(s) 563,200 bytes

 

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

 

2004-08-02 11:00 208,952 IMJPMIG.EXE

1 File(s) 208,952 bytes

 

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

 

2005-09-08 04:20 122,940 DLACTRLW.EXE

1 File(s) 122,940 bytes

 

Directory of C:\PROGRA~1\CA\UNICEN~2\AGENTS\BAK

 

2003-03-07 03:04 45,056 amagent.exe

1 File(s) 45,056 bytes

 

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

 

2004-07-27 15:50 81,920 issch.exe

2004-07-27 15:50 221,184 ISUSPM.exe

2 File(s) 303,104 bytes

 

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

 

2006-07-11 07:23 1,174,528 TiVoTransfer.exe

1 File(s) 1,174,528 bytes

 

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

 

2007-01-25 13:54 171,448 GoogleToolbarNotifier.exe

1 File(s) 171,448 bytes

 

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

 

2006-12-15 03:23 75,520 jusched.exe

1 File(s) 75,520 bytes

 

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

 

2002-08-28 21:39 59,392 ImScInst.exe

1 File(s) 59,392 bytes

 

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

 

2002-08-28 21:39 455,168 TINTSETP.EXE

1 File(s) 455,168 bytes

 

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP\BAK

 

2003-09-03 12:33 192,591 imjpmig.exe

1 File(s) 192,591 bytes

 

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMKR\BAK

 

2001-01-09 12:01 44,544 imekrmig.exe

1 File(s) 44,544 bytes

 

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

 

2007-02-26 21:30 67,128 LogitechDesktopMessenger.exe

1 File(s) 67,128 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\BAK

 

2007-11-21 12:45 3,104 basic.inv

1 File(s) 3,104 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\UAM\BAK

 

2007-11-21 12:49 30,393 amsoft.xml

2007-11-21 12:49 2,961 Compliance.mnv

2007-11-21 12:49 14,130 ENDForce.INV

2007-11-21 12:49 608 GEHCInventory.mnv

2007-11-21 12:49 46,989 IG40.INV

2007-11-21 12:49 289 PERF.INV

2007-11-21 12:49 788 Security.mnv

7 File(s) 96,158 bytes

 

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000003\UAM\BAK

 

0 File(s) 0 bytes

 

Directory of C:\WINDOWS\OPTIONS\PACKAGES\COREAPPS\ITAMAG~1\UAM\BACKUP\AGENTS\BAK

 

2003-03-07 03:04 45,056 amagent.exe

1 File(s) 45,056 bytes

 

Directory of D:\PROGRA~1\EFAXME~1.2\BAK

 

2006-07-14 15:36 107,008 J2GDllCmd.exe

1 File(s) 107,008 bytes

 

Directory of D:\PROGRA~1\ITUNES\BAK

 

2006-10-30 09:36 256,576 iTunesHelper.exe

1 File(s) 256,576 bytes

 

Directory of D:\PROGRA~1\HP\HPSOFT~1\BAK

 

2006-02-19 02:41 49,152 HPWuSchd2.exe

1 File(s) 49,152 bytes

 

Directory of D:\PROGRA~1\TIVO\DESKTOP\BAK

 

2006-07-11 07:24 341,504 TiVoNotify.exe

2006-07-11 07:26 1,313,792 TiVoServer.exe

2 File(s) 1,655,296 bytes

 

 

Duplicate files of bak directory contents

~~~~~~~~~~~~~~~~~~~~~~~

 

16054 Nov 22 2007 "C:\CLIENTWS\amapp.dat"

16054 Nov 22 2007 "C:\CLIENTWS\BAK\amapp.dat"

2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"

2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"

25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"

25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"

721 Nov 22 2007 "C:\CLIENTWS\NCWORK.mnv"

721 Nov 22 2007 "C:\CLIENTWS\BAK\NCWORK.mnv"

1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"

1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"

734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"

734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"

75734 Nov 22 2007 "C:\CLIENTWS\UMISW.DAT"

75734 Nov 22 2007 "C:\CLIENTWS\BAK\UMISW.DAT"

396 Nov 22 2007 "C:\CLIENTUS\212043642\NCUSER.mnv"

396 Nov 22 2007 "C:\CLIENTUS\212043642\BAK\NCUSER.mnv"

734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"

734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"

412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"

176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"

176128 Oct 7 2005 "C:\DRV\D620\Input\R113813\Apoint.exe"

176128 Oct 7 2005 "C:\SUPPORT\DRV\D620\Input\R113813\Apoint.exe"

1626112 Jan 10 2006 "C:\Program Files\ENDFORCE\bak\AgntTray.exe"

286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"

282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"

85744 May 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"

85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"

15360 Aug 2 2004 "C:\WINDOWS\system32\ctfmon.exe"

15360 Aug 2 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"

8192 Feb 21 2001 "C:\SUPPORT\Base_Applications\Officexp\Base\Files\System\Ctfmon.exe"

8192 Feb 21 2001 "C:\SUPPORT\Software\MSOutlook\English\Files\System\Ctfmon.exe"

262144 Nov 1 2004 "C:\WINDOWS\system32\ElkCtrl.exe"

262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"

77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe"

77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"

77824 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\hkcmd.exe"

118784 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\hkcmd.exe"

77824 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\hkcmd.exe"

118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe"

118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"

118784 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxpers.exe"

118784 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxpers.exe"

98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe"

98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"

98304 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxtray.exe"

155648 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\igfxtray.exe"

98304 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxtray.exe"

225280 Dec 9 2005 "C:\WINDOWS\system32\LVCOMSX.EXE"

225280 Dec 9 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"

1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe"

1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe"

1347584 Dec 19 2005 "C:\DRV\D620\Network\R115321\wltray.exe"

1347584 Dec 19 2005 "C:\SUPPORT\DRV\D620\Network\R115321\wltray.exe"

48800 Dec 21 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"

49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"

489472 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"

233472 Nov 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe"

106496 Nov 1 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe"

372736 Mar 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\CameraLauncherDVC.exe"

73728 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"

147456 Jul 14 2005 "C:\SUPPORT\Base_Applications\VPN_Client\CiscoVPNClient\installservice.exe"

15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"

28672 Sep 23 2005 "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"

173736 Feb 24 2007 "D:\Deckard\System Scanner\backup\WINDOWS\temp\Installer.exe"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"

192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"

192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"

122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"

122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"

122940 Sep 8 2005 "C:\Program Files\Roxio\Creator Plus-Dell Edition\DLA\install\dlactrlw.exe"

45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"

45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"

45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"

81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"

221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"

1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"

1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"

52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"

69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"

26694 Oct 22 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"

171448 Jan 25 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"

49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"

132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"

59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"

59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"

455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"

455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"

208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"

192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"

192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"

44032 Aug 23 2001 "C:\WINDOWS\ime\imkr6_1\imekrmig.exe"

44544 Jan 9 2001 "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe"

81920 Dec 6 2005 "C:\Program Files\Logitech\Video\LogitechUpdate.exe"

67128 Feb 26 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"

3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\basic.inv"

3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv"

30393 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml"

2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"

2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"

2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"

14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\ENDForce.INV"

14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV"

608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\GEHCInventory.mnv"

608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv"

25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"

25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"

46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"

289 May 23 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\PERF.INV"

289 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV"

1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"

1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"

788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"

45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"

45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"

45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"

45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"

107008 Jul 14 2006 "D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"

102400 Nov 14 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"

267048 Nov 2 2007 "D:\Program Files\iTunes\iTunesHelper.exe"

256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"

116008 Nov 14 2007 "D:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"

49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\hpwuSchd2.exe"

49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"

341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoNotify.exe"

341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"

1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoServer.exe"

1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"

 

 

end of report

Share this post


Link to post
Share on other sites

Hi again,

 

Double-click the FindAWF icon once again

 

If a Security Alert shows, allow the program to run.

As instructed, press any key to continue.

Use the following option: Press 4 then Enter to reset domain zones

 

This removes all entries from the domain zones.

When the program returns to the main menu, use the following option:

Press E then Enter to EXIT

 

Then please post a new HiJackThis log, and let me know how your PC is running now.

 

jedi

Share this post


Link to post
Share on other sites

Hi Jedi, did all suggested, and following is latest HijackThis log - computer appears to be running without problems now:

 

----------------------------

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:53, on 2007-11-22

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\SafeBoot\SBMGRNT.EXE

C:\WINDOWS\system32\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

D:\Program Files\Lavasoft\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

c:\Program Files\CA\SC\CAM\bin\cam.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

c:\Program Files\ENDFORCE\AgentAPI.exe

C:\WINDOWS\System32\tcpsvcs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

C:\WINDOWS\System32\WLTRYSVC.EXE

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\UMCSTUB.EXE

c:\Program Files\CA\DSM\bin\caf.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Citrix\ICA Client\ssonsvr.exe

C:\WINDOWS\Explorer.EXE

c:\Program Files\CA\DSM\Bin\cfsmsmd.exe

c:\Program Files\CA\DSM\Bin\ccnfagent.exe

c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe

c:\Program Files\CA\DSM\Bin\ccsmagtd.exe

c:\Program Files\CA\DSM\Bin\amswmagt.exe

c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe

c:\Program Files\CA\DSM\Bin\cfftplugin.exe

C:\WINDOWS\stsystra.exe

C:\Program Files\CA\DSM\bin\cfSysTray.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

D:\Program Files\Skype\Phone\Skype.exe

D:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [sBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon

O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"

O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"

O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"

O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')

O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe

O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe

O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe

O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe

O4 - Global Startup: Microsoft Office.lnk = ?

O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe

O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe

O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com

O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01.ge.com/sametime/stmeet...gRoomClient.cab

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633

O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.com/emedical_enu/19221/a...x_HI_Client.cab

O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.infotriever.com/bin/ifhelper.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111.mail.live.com/mail/re...es/MsnPUpld.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.com/emedical_enu/19221/a...tBound_mail.cab

O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.com/emedical_enu/19221/a...Integration.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01.ge.com/sametime/stmeet...STJNILoader.cab

O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarplugin.themeetingson.com/...000RCOGN000.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.webex.com/client/T23L10NS...bex/ieatgpc.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com

O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs:

O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe

O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe

O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe

O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe

O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe

O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe

O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

 

--

End of file - 14230 bytes

Share this post


Link to post
Share on other sites

Hi again,

 

Your log looks clean. :thumbsup:

 

In order to be better protected in the future, I recommend the following programs:

 

SpywareBlaster protects against bad ActiveX.

http://www.javacoolsoftware.com/spywareblaster.html

 

SpywareGuard stops Spyware from being installed.

http://www.javacoolsoftware.com/spywareguard.html

 

Also install the MVPS hosts file:

http://www.mvps.org/winhelp2002/hosts.htm

which blocks innocent looking sites that are not so innocent.

 

All three are very small free programs that you run once, and then just occasionally to check for updates.

 

Also see

How did I get Infected?

 

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking

here http://v4.windowsupdate.microsoft.com/

and following the prompts.

 

jedi :)

Share this post


Link to post
Share on other sites

Many thanks for all the help Jedi, it is really very much appreciated. I hope you enjoy a very happy holiday season.

 

Best wishes,

 

victorb

Share this post


Link to post
Share on other sites

You're most welcome. Happy holidays to you and yours also.

 

jedi :wave:

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0