Jump to content


Photo

spyware/trojan infection - 2 Duplicates deleted


  • This topic is locked This topic is locked
21 replies to this topic

#1 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 11 November 2007 - 10:16 PM

I appear to have been infected with at least several spyware and/or trojans. It appears to have disabled my ability to run ActiveX, and I cannot reactivate this functionality.

I first tried to run Spybot Search & Destroy, and it successfully appeared to remove some problems it detected (listed as CoolWWWSearch, SpySheriff, SearchCentrix, Smitfraud-C, and Spabot). This did not solve the problem.

I also ran Ad-Aware 2007, no specific threats detected.

My computer runs corporate version of Symantec AntiVirus - I ran two complete scans, and it picked up multiple copies of Trojan.Peacomm.D which it appeared to remove successfully. The second complete scan picked up Adware.SystemProcess, which it also appeared to clean.

Original problem however remains, ActiveX not working.

I have downloaded HiJack This, and following is the current logfile.

Any advice you can give me will be greatly appreciated.

------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:54:24 PM, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
c:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\ENDFORCE\AgentAPI.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\UMCSTUB.EXE
c:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\Program Files\CA\DSM\Bin\cfsmsmd.exe
c:\Program Files\CA\DSM\Bin\ccnfagent.exe
c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
c:\Program Files\CA\DSM\Bin\ccsmagtd.exe
c:\Program Files\CA\DSM\Bin\amswmagt.exe
c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
c:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Infotriever\Agent\infoclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
d:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.ho...site/healthcare
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\nav\Navsvr.vbs
O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com
O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01....gRoomClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.co...x_HI_Client.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.inf...in/ifhelper.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.co...tBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.co...Integration.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01....STJNILoader.cab
O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarpl...000RCOGN000.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 15461 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,476 posts

Posted 14 November 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 19 November 2007 - 03:46 PM

Hi,

If you still need help please post a new HiJackThis log.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 19 November 2007 - 04:56 PM

Here is latest HijackThis log.

Thanks

-------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:20 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
c:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\ENDFORCE\AgentAPI.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\UMCSTUB.EXE
c:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\Program Files\CA\DSM\Bin\cfsmsmd.exe
c:\Program Files\CA\DSM\Bin\ccnfagent.exe
c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\Program Files\Microsoft Security Adviser\msctrl.exe
C:\Program Files\Microsoft Security Adviser\msavsc.exe
C:\Program Files\Microsoft Security Adviser\msscan.exe
C:\Program Files\Microsoft Security Adviser\msiemon.exe
C:\Program Files\Microsoft Security Adviser\msfw.exe
D:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\CA\DSM\Bin\ccsmagtd.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
c:\Program Files\CA\DSM\Bin\amswmagt.exe
c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
c:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Infotriever\Agent\infoclient.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKLM\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKLM\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKLM\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKLM\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msctrl.exe] C:\Program Files\Microsoft Security Adviser\msctrl.exe
O4 - HKCU\..\Run: [msavsc.exe] C:\Program Files\Microsoft Security Adviser\msavsc.exe
O4 - HKCU\..\Run: [msscan.exe] C:\Program Files\Microsoft Security Adviser\msscan.exe
O4 - HKCU\..\Run: [msiemon.exe] C:\Program Files\Microsoft Security Adviser\msiemon.exe
O4 - HKCU\..\Run: [msfw.exe] C:\Program Files\Microsoft Security Adviser\msfw.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\nav\Navsvr.vbs
O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com
O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01....gRoomClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.co...x_HI_Client.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.inf...in/ifhelper.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.co...tBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.co...Integration.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01....STJNILoader.cab
O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarpl...000RCOGN000.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 16246 bytes

#5 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 19 November 2007 - 05:07 PM

Hi,

I need a sample of this folder:

C:\Program Files\Microsoft Security Adviser

Please upload it to me here:
http://www.bleepingc....php?channel=18

Next:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Also:

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#6 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 November 2007 - 08:16 AM

Hi Jedi,

1) Requested file was uploaded to bleepingcomputer

2) I ran Dr.Web CureIt, log is below.

3) I could not run ComboFix - it came up with message saying copy has expired, and then it "uninstalled" itself.

Here is CureIt log:

svchost.exe;C:\;Trojan.Click.4813;Deleted.;
svchost2.exe;C:\;Trojan.Click.4813;Deleted.;
CheckPowerAndDock.vbs;C:\NewReboot;Modification of VBS.Generic.358;Moved.;
aolsetup.exe;C:\Program Files\AIM6\services\softwareUpdate\ver2_13_13_7;Probably BACKDOOR.Trojan;Incurable.Moved.;
mssadv.exe;C:\Program Files\Microsoft Security Adviser;Trojan.Click.3334;Deleted.;
dlbxEN.vbs;C:\SUPPORT\Software\Printers Driver\Dell\Dell 962;Probably SCRIPT.Virus;Incurable.Moved.;
msavsc.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;
msctrl.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;
msfw.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;
msiemon.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;
mssadv.dll;C:\WINDOWS;Trojan.Click.3334;Deleted.;
msscan.dll;C:\WINDOWS;Trojan.LowZones.232;Deleted.;
Process.exe;C:\WINDOWS\system32;Tool.Prockill;Incurable.Moved.;
10 Colour My World.m4a;D:\Documents and Settings\212043642\My Documents\My Music\iTunes\iTunes Music\Chicago\Chicago II;Modification of Trojan.DownLoader.8192;Moved.;
inst.exe;D:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install_6.0.28.3;Probably BACKDOOR.Trojan;Incurable.Moved.;


Thanks

#7 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 20 November 2007 - 10:27 AM

Hi again,

Download
Deckard's System Scanner (formerly Comboscan)
http://www.geekstogo...a...nload&id=19
to your Desktop.
  • Close all applications and windows.
  • Double-click on comboscan.exe to run it, and follow the prompts.
  • When the scan is complete, a text file will open - ComboScan.txt
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#8 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 November 2007 - 10:41 AM

Thanks Jedi, here is the log file:

Deckard's System Scanner v20071014.68
Run by 212043642 on 2007-11-20 10:31:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2007-11-20 15:31:51 UTC - RP3 - Deckard's System Scanner Restore Point
1: 2007-11-20 13:12:14 UTC - RP2 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as 212043642.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36, on 2007-11-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
c:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\ENDFORCE\AgentAPI.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\UMCSTUB.EXE
C:\WINDOWS\Explorer.EXE
c:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\Program Files\CA\DSM\Bin\cfsmsmd.exe
c:\Program Files\CA\DSM\Bin\ccnfagent.exe
c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
c:\Program Files\CA\DSM\Bin\ccsmagtd.exe
c:\Program Files\CA\DSM\Bin\amswmagt.exe
c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
c:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
D:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
D:\Documents and Settings\212043642\Desktop\dss.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\212043642.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com
O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01....gRoomClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.co...x_HI_Client.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.inf...in/ifhelper.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.co...tBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.co...Integration.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01....STJNILoader.cab
O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarpl...000RCOGN000.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14142 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 aarich - c:\windows\system32\drivers\aarich.sys <Not Verified; Adaptec, Inc.; Adaptec hostRAID for Serial ATA>
R0 cercsr6 (DELL CERC SATA 1.5/6ch RAID Miniport Driver) - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
R0 Gernuwa - c:\windows\system32\drivers\gernuwa.sys <Not Verified; Symantec Corporation; pcAnywhere>
R0 SafeBoot - c:\windows\system32\drivers\safeboot.sys
R0 SBAlg - c:\windows\system32\drivers\sbalg.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 awecho - c:\windows\system32\drivers\awechomd.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 awlegacy - c:\windows\system32\drivers\awlegacy.sys <Not Verified; Symantec Corporation; pcAnywhere>
R1 efPktFtr (ENDFORCE Quarantine Filter) - c:\windows\system32\drivers\efpktftr.sys <Not Verified; ENDFORCE, Inc.; Endforce DNE Plugin>
R1 RsvLock - c:\windows\system32\drivers\rsvlock.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SBFlop - c:\windows\system32\drivers\sbflop.sys <Not Verified; Control Break International; SafeBoot Security System>
R1 SbPrcCtl - c:\windows\system32\drivers\sbprcctl.sys <Not Verified; Control Break International; SafeBoot Security System>
R3 LVPrcMon (Logitech LVPrcMon Driver) - c:\windows\system32\drivers\lvprcmon.sys
R4 black - c:\windows\system32\drivers\blackdrv.sys <Not Verified; Internet Security Systems, Inc.; ICEpac>

S3 HSFHWICH - c:\windows\system32\drivers\hsfhwich.sys <Not Verified; Conexant Systems, Inc.; SoftK56 Modem Driver>
S3 RapFile - c:\windows\system32\drivers\rapfile.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S3 RapNet - c:\windows\system32\drivers\rapnet.sys <Not Verified; Internet Security Systems, Inc.; Rap Protection System>
S4 a320raid - c:\windows\system32\drivers\a320raid.sys <Not Verified; Adaptec, Inc.; Adaptec hostRAID for Ultra320 SCSI>
S4 aac (PERC 320/DC SCSI RAID Miniport Driver) - c:\windows\system32\drivers\aac.sys <Not Verified; Adaptec, Inc.; Adaptec RAID Controller>
S4 AW_HOST - c:\windows\system32\drivers\aw_host5.sys <Not Verified; Symantec Corporation; pcAnywhere>
S4 fasttx2k - c:\windows\system32\drivers\fasttx2k.sys <Not Verified; Promise Technology, Inc.; Promise FastTrak Series Driver>
S4 vmscsi - c:\windows\system32\drivers\vmscsi.sys <Not Verified; VMware, Inc.; VMware, Inc. Script1 Application>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AmoAgent (Asset Management Agent) - c:\windows\umcstub.exe <Not Verified; Computer Associates International, Inc.; Unicenter Asset Management>
R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BlackICE - "c:\program files\iss\isssensors\desktopprotection\blackd.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems Inc. blackd>
R2 CA-MessageQueuing (CA Message Queuing Server) - "c:\program files\ca\sc\cam\bin\cam.exe" <Not Verified; CA, Inc.; CA Message Queuing>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 ENDFORCE Agent API - "c:\program files\endforce\agentapi.exe" <Not Verified; ENDFORCE, Inc.; Agent API Module>
R2 InCDsrvR (InCD Helper (read only)) - c:\program files\ahead\incd\incdsrv.exe -r <Not Verified; Nero AG; Nero AG incdsrv>
R2 Lotus Notes Single Logon - c:\windows\system32\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 SafeBootConfigurationManager (SafeBoot Configuration Manager) - c:\program files\safeboot\sbmgrnt.exe <Not Verified; Control Break International; SafeBoot Security System>

S3 awhost32 (pcAnywhere Host Service) - c:\program files\symantec\pcanywhere\awhost32.exe <Not Verified; Symantec Corporation; pcAnywhere>
S3 RapApp - "c:\program files\iss\isssensors\desktopprotection\rapapp.exe" <Not Verified; Internet Security Systems, Inc.; Internet Security Systems, Inc. Rap Protection System>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET00
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET00
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2007-11-14 12:08:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-10-20 and 2007-11-20 -----------------------------

2007-11-20 10:31:19 0 d-------- D:\Deckard
2007-11-19 22:14:08 0 d-------- D:\Documents and Settings\212043642\DoctorWeb
2007-11-15 13:48:46 0 d-------- D:\Documents and Settings\212043642\Application Data\GlarySoft
2007-11-14 12:29:08 0 d-------- C:\Program Files\iPod
2007-11-14 12:28:45 0 d--hs---- D:\Config.Msi
2007-11-10 17:01:03 4922 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-10 17:00:40 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-10 17:00:40 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-11-10 17:00:40 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-11-10 17:00:40 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-10 15:05:41 0 d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-09 10:34:20 3063 --a------ C:\WINDOWS\system32\m1ax1d1213216143v.exe
2007-11-07 08:14:17 0 d-------- C:\Program Files\Microsoft Security Adviser


-- Find3M Report ---------------------------------------------------------------

2007-11-20 08:06:26 0 d-------- C:\Program Files\Symantec AntiVirus
2007-11-20 08:06:00 0 d-------- C:\Program Files\ENDFORCE
2007-11-19 10:51:39 0 d-------- D:\Documents and Settings\212043642\Application Data\Skype
2007-11-19 08:49:51 0 d-------- C:\Program Files\Dl_cats
2007-11-15 13:43:08 0 d-------- C:\Program Files\MTBWIN
2007-11-15 13:43:08 0 d-------- C:\Program Files\Crystal Ball
2007-11-14 13:56:18 0 d-------- C:\Program Files\SafeBoot
2007-11-14 12:27:17 0 d-------- C:\Program Files\QuickTime
2007-11-10 16:41:54 0 d-------- C:\Program Files\Java
2007-11-10 15:04:16 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 14:47:46 0 d-------- D:\Documents and Settings\212043642\Application Data\Lavasoft
2007-11-10 14:38:49 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-11-10 14:35:30 0 d-------- C:\Program Files\Canon
2007-11-09 18:24:03 0 d-------- C:\Program Files\Windows NT
2007-11-09 18:21:46 0 d-------- C:\Program Files\Windows Desktop Search
2007-11-09 18:16:32 0 d-------- C:\Program Files\MSN Messenger
2007-11-09 18:15:43 0 d--h----- C:\Program Files\Movie Maker
2007-11-09 18:13:05 0 d-------- C:\Program Files\Messenger
2007-11-09 18:10:26 0 d-------- C:\Program Files\Live Search Maps for Outlook
2007-11-09 18:02:32 0 d-------- C:\Program Files\Google
2007-11-09 17:57:25 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-11-09 17:51:36 0 d-------- C:\Program Files\Common Files\Logitech
2007-11-09 12:10:12 0 d-------- C:\Program Files\Apple Software Update
2007-11-09 12:09:54 0 d-------- C:\Program Files\Apoint
2007-11-09 12:09:26 0 d-------- C:\Program Files\AOD
2007-11-09 12:07:00 0 d-------- C:\Program Files\2340_Fiberlink
2007-11-07 08:26:30 0 d-------- C:\Program Files\AIM6
2007-11-05 19:11:30 0 d-------- D:\Documents and Settings\212043642\Application Data\Canon
2007-11-05 00:05:18 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-22 19:22:10 0 d-------- D:\Documents and Settings\212043642\Application Data\Google
2007-09-20 01:24:24 0 d-------- D:\Documents and Settings\212043642\Application Data\Paltalk
2007-09-07 11:50:34 65096 --a------ D:\Documents and Settings\212043642\Application Data\GDIPFONTCACHEV1.DAT
2007-08-28 13:42:31 224 --a------ C:\WINDOWS\system32\tbhi.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 16:35 C:\WINDOWS\stsystra.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-02 11:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 21:39]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 11:33]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 15:06]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-02-01 10:54]
"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-06 16:04]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-02 18:33]
"DsmSxplog"="c:\Program Files\CA\DSM\Bin\sxpstub.exe" [2007-03-03 15:07]
"CAF_SystemTray"="c:\Program Files\CA\DSM\bin\cfSysTray.exe" [2007-03-03 12:30]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 12:55]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-02 11:00]

D:\Documents and Settings\212043642\Start Menu\Programs\Startup\
Infotriever.lnk - C:\Program Files\Infotriever\Agent\infoclient.exe [2007-02-15 09:29:43]
Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-10-05 11:14:32]
HotSync Manager.lnk - D:\Program Files\palmone\Hotsync.exe [2004-06-09 14:16:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-14 06:01:04]
Mobile Suite Client.lnk - C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe [2007-02-13 20:50:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SB_NoDispScrSavPage"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"=0 (0x0)
"SB_NoDispScrSavPage"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"2"=\\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
c:\Program Files\CA\DSM\Bin\cfwlogon.dll 2007-03-03 12:30 27664 c:\Program Files\CA\DSM\Bin\cfWlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ppeclt]
PPEClt.dll 2005-05-25 04:00 163840 C:\WINDOWS\system32\PPEClt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\]
"Script"=Workstation_Startup_Script.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{270f82ac-ff18-11db-915e-0015c548d277}]
AutoRun\command- F:\setupSNK.exe

*Newly Created Service* - IG40WNT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub



-- End of Deckard's System Scanner: finished at 2007-11-20 10:37:03 ------------

#9 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 20 November 2007 - 10:58 AM

Hi again,

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\m1ax1d1213216143v.exe

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

Next:

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-sec.../home/ols.shtml

Scroll to the bottom of the page, and click Start Scan.

When prompted, choose to install the software. After the software has installed, click Accept. Click Custom Scan and check the option for Scan inside archives, then click Start. The necessary databases will then be downloaded, and the scan will then start automatically.

Please be patient as this scan will take a while to complete. If any infections are found then once the scan has finished, the "cleaning" screen will be displayed.

Choose Automatic cleaning (recommended).After cleaning has finished, then the Finish screen will be displayed.

Choose Show Report. In order to post the report, press CTRL+A on your keyboard to highlight all the text.

Then copy and paste that information into this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#10 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 20 November 2007 - 04:09 PM

Hi Jedi,

All recommended actions performed - here is the result of the F-Secure scan.

----------------------------------------------------------

Scanning Report
Tuesday, November 20, 2007 11:35:24 - 16:05:35
Computer name: USHC854TQB1L
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 35 malware found
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
W32/Jesta.A (virus)
C:\WINDOWS\jestertb.dll (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 205976
System: 5453
Not scanned: 85
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 34
Submitted: 1
Files not scanned:
xނ?ӁAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SAFEBOOT.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\SUPPORT\Software\PKZIP_V5\pkzip v5.0_GEHC.exe\pkzs\Self-Extractors\pksfx500.msi\stream 8\F1046_Pksfxs.dat\WIN32_X86_G500
\\?\C:\SUPPORT\DRV\D620\Comm\R120225\Utility\config.bin\profiles.xml
C:\SUPPORT\DRV\D620\Comm\R120225\Utility\systemid.zip\SystemID.txt
\\?\C:\SUPPORT\DRV\D620\Comm\R118082\Utility\config.bin\profiles.xml
C:\SUPPORT\DRV\D620\Comm\R118082\Utility\systemid.zip\SystemID.txt
\\?\C:\SUPPORT\DRV\D620\Comm\R118077\Utility\config.bin\profiles.xml
C:\SUPPORT\DRV\D620\Comm\R118077\Utility\systemid.zip\SystemID.txt
\\?\C:\DRV\D620\Comm\R120225\Utility\config.bin\profiles.xml
C:\DRV\D620\Comm\R120225\Utility\systemid.zip\SystemID.txt
\\?\C:\DRV\D620\Comm\R118082\Utility\config.bin\profiles.xml
C:\DRV\D620\Comm\R118082\Utility\systemid.zip\SystemID.txt
\\?\C:\DRV\D620\Comm\R118077\Utility\config.bin\profiles.xml
C:\DRV\D620\Comm\R118077\Utility\systemid.zip\SystemID.txt
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearch.zip\vx.tll
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsActiveDesktop1.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer1.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify1.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify2.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify3.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify4.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterAntiVirusDisableNotify5.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled2.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled3.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled4.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled5.zip\sbRecovery.reg
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisabled.zip\sbRecovery.reg
--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-11-19
F-Secure AVP: 7.0.171, 2007-11-20
F-Secure Orion: 1.2.37, 2007-11-20
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 2007-10-30
F-Secure Pegasus: 1.19.0, 2007-10-18
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Scan inside archives
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#11 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 21 November 2007 - 03:07 PM

Hi again,

Please try running a new version of Combofix again,

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#12 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 21 November 2007 - 09:44 PM

Hi Jedi, here is the combofix log:

-----------------------

ComboFix 07-11-19.3 - 212043642 2007-11-21 21:36:48.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.394 [GMT -5:00]
Running from: D:\Documents and Settings\212043642\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 08:37 1,494,528 -----c--- C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-11-21 08:37 658,944 -----c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-11-21 08:37 615,424 -----c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-11-21 08:37 474,112 -----c--- C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-11-21 08:37 39,424 -----c--- C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-11-19 22:14 <DIR> d-------- D:\Documents and Settings\212043642\DoctorWeb
2007-11-15 13:48 <DIR> d-------- D:\Documents and Settings\212043642\Application Data\GlarySoft
2007-11-14 12:41 549,376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-11-14 12:29 <DIR> d-------- C:\Program Files\iPod
2007-11-10 17:01 0 --a------ C:\WINDOWS\system32\tmp.txt
2007-11-10 17:00 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-10 17:00 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-10 17:00 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-10 16:41 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-10 16:41 5,329 --a------ C:\WINDOWS\system32\jupdate-1.6.0_03-b05.log
2007-11-10 15:05 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-02 01:38 389,180 --a------ C:\WINDOWS\system32\UCS32P.DLL
2007-11-02 01:38 339,968 --a------ C:\WINDOWS\system32\N067UFW.DLL
2007-11-02 01:38 36,864 --a------ C:\WINDOWS\system32\CNQU70.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 02:12 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-22 02:11 --------- d-----w C:\Program Files\ENDFORCE
2007-11-21 14:36 --------- d-----w C:\Program Files\SafeBoot
2007-11-19 15:51 --------- d-----w D:\Documents and Settings\212043642\Application Data\Skype
2007-11-19 13:49 --------- d-----w C:\Program Files\Dl_cats
2007-11-15 18:43 --------- d-----w C:\Program Files\MTBWIN
2007-11-15 18:43 --------- d-----w C:\Program Files\Crystal Ball
2007-11-14 17:27 --------- d-----w C:\Program Files\QuickTime
2007-11-10 21:48 --------- d-----w D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-10 21:41 --------- d-----w C:\Program Files\Java
2007-11-10 20:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-10 19:47 --------- d-----w D:\Documents and Settings\212043642\Application Data\Lavasoft
2007-11-10 19:38 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-10 19:35 --------- d-----w C:\Program Files\Canon
2007-11-09 23:21 --------- d-----w C:\Program Files\Windows Desktop Search
2007-11-09 23:16 --------- d-----w C:\Program Files\MSN Messenger
2007-11-09 23:10 --------- d-----w C:\Program Files\Live Search Maps for Outlook
2007-11-09 23:02 --------- d-----w C:\Program Files\Google
2007-11-09 22:57 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-09 22:51 --------- d-----w C:\Program Files\Common Files\Logitech
2007-11-09 17:10 --------- d-----w C:\Program Files\Apple Software Update
2007-11-09 17:09 --------- d-----w C:\Program Files\Apoint
2007-11-09 17:09 --------- d-----w C:\Program Files\AOD
2007-11-09 17:07 --------- d-----w C:\Program Files\2340_Fiberlink
2007-11-07 13:26 --------- d-----w C:\Program Files\AIM6
2007-11-06 00:11 --------- d-----w D:\Documents and Settings\212043642\Application Data\Canon
2007-11-04 20:01 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2007-09-07 16:50 65,096 ----a-w D:\Documents and Settings\212043642\Application Data\GDIPFONTCACHEV1.DAT
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 396 2007-11-22 02:12:14 C:\CLIENTUS\212043642\BAK\NCUSER.mnv
----a-w 396 2007-11-22 02:12:13 C:\CLIENTUS\212043642\NCUSER.mnv

----a-w 412 2007-05-08 12:53:04 C:\CLIENTUS\212043642\BAK\UMDAT.DIF

----a-w 15,965 2007-11-21 13:20:26 C:\CLIENTWS\BAK\amapp.dat

----a-w 2,744 2007-11-22 02:13:31 C:\CLIENTWS\BAK\Compliance.mnv
----a-w 2,744 2007-11-22 02:13:31 C:\CLIENTWS\Compliance.mnv

----a-w 25,561 2007-11-22 02:13:31 C:\CLIENTWS\BAK\IG40.INV
----a-w 25,561 2007-11-22 02:13:28 C:\CLIENTWS\IG40.INV

----a-w 721 2007-11-22 02:13:31 C:\CLIENTWS\BAK\NCWORK.mnv
----a-w 721 2007-11-22 02:13:31 C:\CLIENTWS\NCWORK.mnv

----a-w 1,620 2007-11-22 02:13:31 C:\CLIENTWS\BAK\security.MNV
----a-w 1,620 2007-11-22 02:13:31 C:\CLIENTWS\security.MNV

----a-w 823 2007-11-22 02:13:32 C:\CLIENTWS\BAK\UMDAT.DIF

----a-w 75,650 2007-11-21 13:20:08 C:\CLIENTWS\BAK\UMISW.DAT

----a-r 176,128 2005-10-07 20:13:38 C:\Program Files\Apoint\bak\Apoint.exe

----a-w 3,104 2007-11-21 17:45:06 C:\Program Files\CA\DSM\Agent\units\00000001\BAK\basic.inv
----a-w 3,104 2007-11-21 17:45:06 C:\Program Files\CA\DSM\Agent\units\00000001\basic.inv

----a-w 30,393 2007-11-21 17:49:36 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\amsoft.xml

----a-w 2,961 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\Compliance.mnv
----a-w 2,961 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\Compliance.mnv

----a-w 14,130 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\ENDForce.INV
----a-w 14,130 2007-11-21 17:45:39 C:\Program Files\CA\DSM\Agent\units\00000001\uam\ENDForce.INV

----a-w 608 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\GEHCInventory.mnv
----a-w 608 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\GEHCInventory.mnv

----a-w 46,989 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\IG40.INV
----a-w 46,989 2007-11-21 17:45:27 C:\Program Files\CA\DSM\Agent\units\00000001\uam\IG40.INV

----a-w 289 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\PERF.INV
----a-w 289 2007-05-23 13:02:11 C:\Program Files\CA\DSM\Agent\units\00000001\uam\PERF.INV

----a-w 788 2007-11-21 17:49:44 C:\Program Files\CA\DSM\Agent\units\00000001\uam\BAK\Security.mnv
----a-w 788 2007-11-21 17:49:43 C:\Program Files\CA\DSM\Agent\units\00000001\uam\Security.mnv

----a-w 45,056 2003-03-07 08:04:00 C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe
----a-w 45,056 2003-03-06 21:04:00 C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE

----a-w 81,920 2004-07-27 20:50:18 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-07-27 20:50:42 C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe

----a-w 192,591 2003-09-03 17:33:58 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe
----a-w 192,591 2003-09-02 23:33:58 C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE

----a-w 44,544 2001-01-09 17:01:14 C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe

----a-w 48,752 2005-10-04 18:42:40 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 48,800 2005-12-21 16:33:28 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

----a-w 1,174,528 2006-07-11 12:23:50 C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe
----a-w 1,174,528 2006-07-11 11:23:50 C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe

----a-w 49,152 2005-12-10 00:29:52 C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe

----a-w 1,626,112 2006-01-11 01:16:54 C:\Program Files\ENDFORCE\bak\AgntTray.exe

----a-w 171,448 2007-01-25 18:54:46 C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe

----a-w 75,520 2006-12-15 08:23:27 C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe

----a-w 67,128 2007-02-27 02:30:59 C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe

----a-w 489,472 2005-12-07 14:26:30 C:\Program Files\Logitech\Video\bak\CameraAssistant.exe

----a-w 73,728 2005-12-07 14:33:16 C:\Program Files\Logitech\Video\bak\InstallHelper.exe

----a-w 282,624 2006-10-25 23:58:18 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 286,720 2007-10-20 01:16:26 C:\Program Files\QuickTime\QTTask.exe

----a-w 85,744 2005-11-15 19:28:04 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 85,744 2006-05-27 20:06:20 C:\Program Files\Symantec AntiVirus\VPTray.exe

----a-w 208,952 2004-08-02 16:00:00 C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
----a-w 208,952 2004-08-02 16:00:00 C:\WINDOWS\ime\imjp8_1\imjpmig.exe

----a-w 45,056 2003-03-07 08:04:00 C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe

----a-w 15,360 2004-08-02 16:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-02 16:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 262,144 2004-11-01 21:22:22 C:\WINDOWS\system32\bak\ElkCtrl.exe

----a-w 77,824 2005-12-13 23:41:08 C:\WINDOWS\system32\bak\hkcmd.exe

----a-w 118,784 2005-12-13 23:45:00 C:\WINDOWS\system32\bak\igfxpers.exe

----a-w 98,304 2005-12-13 23:44:18 C:\WINDOWS\system32\bak\igfxtray.exe

----a-w 225,280 2005-12-09 19:32:18 C:\WINDOWS\system32\bak\LVCOMSX.EXE

----a-w 1,347,584 2005-12-19 15:08:42 C:\WINDOWS\system32\bak\WLTRAY.exe

----a-w 122,940 2005-09-08 09:20:00 C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE

----a-w 59,392 2002-08-29 02:39:06 C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
----a-w 59,392 2002-08-29 02:39:06 C:\WINDOWS\system32\IME\PINTLGNT\imscinst.exe

----a-w 455,168 2002-08-29 02:39:50 C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
----a-w 455,168 2002-08-29 02:39:50 C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe

----a-w 107,008 2006-07-14 20:36:57 D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe

----a-w 49,152 2006-02-19 07:41:10 D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 49,152 2006-02-19 06:41:10 D:\Program Files\HP\HP Software Update\hpwuSchd2.exe

----a-w 256,576 2006-10-30 14:36:36 D:\Program Files\iTunes\bak\iTunesHelper.exe
----a-w 267,048 2007-11-02 23:36:42 D:\Program Files\iTunes\iTunesHelper.exe

----a-w 341,504 2006-07-11 12:24:42 D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe
----a-w 341,504 2006-07-11 11:24:42 D:\Program Files\TiVo\Desktop\TiVoNotify.exe

----a-w 1,313,792 2006-07-11 12:26:52 D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe
----a-w 1,313,792 2006-07-11 11:26:52 D:\Program Files\TiVo\Desktop\TiVoServer.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-02 11:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-11-16 16:35 C:\WINDOWS\stsystra.exe]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-02 11:00]
"MSPY2002"="C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-28 21:39]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2002-08-28 21:39]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-12-21 11:33]
"vptray"="c:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-27 15:06]
"SBMGRNT.EXE"="C:\PROGRA~1\SafeBoot\SBMGRNT.exe" [2007-02-01 10:54]
"CA-AMAgent"="C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe" [2003-03-06 16:04]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2003-09-02 18:33]
"DsmSxplog"="c:\Program Files\CA\DSM\Bin\sxpstub.exe" [2007-03-03 15:07]
"CAF_SystemTray"="c:\Program Files\CA\DSM\bin\cfSysTray.exe" [2007-03-03 12:30]
"DLCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll" [2005-09-08 12:55]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2006-01-12 15:40]
"iTunesHelper"="D:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-02 11:00]

D:\Documents and Settings\212043642\Start Menu\Programs\Startup\
Infotriever.lnk - C:\Program Files\Infotriever\Agent\infoclient.exe [2007-02-15 09:29:43]
Yahoo! Widget Engine.lnk - D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe [2007-07-20 12:57:16]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-10-05 11:14:32]
HotSync Manager.lnk - D:\Program Files\palmone\Hotsync.exe [2004-06-09 14:16:08]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-14 06:01:04]
Mobile Suite Client.lnk - C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe [2007-02-13 20:50:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"SB_NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"NoDispScrSavPage"= 0 (0x0)
"SB_NoDispScrSavPage"= 0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 14:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CAF]
c:\Program Files\CA\DSM\Bin\cfwlogon.dll 2007-03-03 12:30 27664 c:\Program Files\CA\DSM\Bin\cfWlogon.dll
c:\WINDOWS\system32\NavLogon.dll 2006-05-27 15:06 43760 c:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2004-11-01 12:50 8704 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ppeclt]
PPEClt.dll 2005-05-25 04:00 163840 C:\WINDOWS\system32\PPEClt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=Workstation_Startup_Script.vbs

R0 aarich;aarich;C:\WINDOWS\system32\DRIVERS\aarich.sys
R0 megasas;DELL PERC RAID Driver;C:\WINDOWS\system32\drivers\megasas.sys
R0 SafeBoot;SafeBoot;C:\WINDOWS\system32\drivers\SafeBoot.sys
R0 SBAlg;SBAlg;C:\WINDOWS\system32\drivers\SBAlg.sys
R1 efPktFtr;ENDFORCE Quarantine Filter;\??\c:\WINDOWS\System32\Drivers\efPktFtr.sys
R1 RsvLock;RsvLock;C:\WINDOWS\system32\drivers\RsvLock.sys
R1 SBFlop;SBFlop;C:\WINDOWS\system32\drivers\SBFlop.sys
R1 SbPrcCtl;SbPrcCtl;C:\WINDOWS\system32\drivers\SbPrcCtl.sys
R2 caf;CA DSM r11 Common Application Framework.;"c:\Program Files\CA\DSM\bin\caf.exe" service
R2 ENDFORCE Agent API;ENDFORCE Agent API;"c:\Program Files\ENDFORCE\AgentAPI.exe"
R2 SafeBootConfigurationManager;SafeBoot Configuration Manager;C:\Program Files\SafeBoot\SBMGRNT.EXE
R2 TivoBeacon2;TiVo Beacon;"C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service
R3 LVPrcMon;Logitech LVPrcMon Driver;\??\C:\WINDOWS\system32\drivers\LVPrcMon.sys
R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
R4 black;black;C:\WINDOWS\system32\drivers\BlackDrv.sys
S3 RapFile;RapFile;\??\C:\WINDOWS\System32\drivers\RapFile.sys
S3 RapNet;RapNet;\??\C:\WINDOWS\System32\drivers\RapNet.sys
S4 a320raid;a320raid;C:\WINDOWS\system32\DRIVERS\a320raid.sys
S4 aac;PERC 320/DC SCSI RAID Miniport Driver;C:\WINDOWS\system32\DRIVERS\aac.sys
S4 vmscsi;vmscsi;C:\WINDOWS\system32\drivers\vmscsi.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{270f82ac-ff18-11db-915e-0015c548d277}]
\Shell\AutoRun\command - F:\setupSNK.exe

*Newly Created Service* - IG40WNT

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EEBF9CA6-567B-41cd-B5F6-EF2C7FEF37B5}]
rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmactedp.inf,PerUserStub
.
Contents of the 'Scheduled Tasks' folder
"2007-11-21 17:08:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-21 21:38:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-21 21:41:34
C:\ComboFix2.txt ... 2007-11-21 18:18
.
--- E O F ---

#13 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 22 November 2007 - 04:12 AM

Hi again,

That was useful, it shows you have a file-infector virus, which we will now start to remove:

Please download FindAWF:
http://noahdfear.net...ads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders

A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

C:\CLIENTUS\212043642\BAK\NCUSER.mnv
C:\CLIENTUS\212043642\BAK\UMDAT.DIF
C:\CLIENTWS\BAK\amapp.dat
C:\CLIENTWS\BAK\Compliance.mnv
C:\CLIENTWS\BAK\IG40.INV
C:\CLIENTWS\BAK\NCWORK.mnv
C:\CLIENTWS\BAK\security.MNV
C:\CLIENTWS\security.MNV
C:\CLIENTWS\BAK\UMDAT.DIF
C:\CLIENTWS\BAK\UMISW.DAT
C:\Program Files\Apoint\bak\Apoint.exe
C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV
C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv
C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe
C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\ENDFORCE\bak\AgntTray.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
C:\Program Files\Logitech\Video\bak\CameraAssistant.exe
C:\Program Files\Logitech\Video\bak\InstallHelper.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\ElkCtrl.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\bak\LVCOMSX.EXE
C:\WINDOWS\system32\bak\WLTRAY.exe
C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE
C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe
D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
D:\Program Files\iTunes\bak\iTunesHelper.exe
D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe
D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe


Next, close and click Yes to save the changes.

Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#14 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 November 2007 - 12:58 PM

Thanks Jedi, here is the FindAWF log:

----------------------------


Find AWF report by noahdfear 2006
Version 1.40
Option 2 run successfully

The current date is: 2007-11-22
The current time is: 12:48:27.26


bak folders found
~~~~~~~~~~~


Directory of C:\CLIENTWS\BAK

2007-11-22 11:57 16,054 amapp.dat
2007-11-22 11:58 2,744 Compliance.mnv
2007-11-22 11:58 25,563 IG40.INV
2007-11-22 11:58 721 NCWORK.mnv
2007-11-22 11:58 1,620 security.MNV
2007-11-22 11:58 734 UMDAT.DIF
2007-11-22 11:57 75,734 UMISW.DAT
7 File(s) 123,170 bytes

Directory of C:\CLIENTUS\212043~1\BAK

2007-11-22 11:55 396 NCUSER.mnv
2007-05-08 07:53 412 UMDAT.DIF
2 File(s) 808 bytes

Directory of C:\PROGRA~1\APOINT\BAK

2005-10-07 15:13 176,128 Apoint.exe
1 File(s) 176,128 bytes

Directory of C:\PROGRA~1\ENDFORCE\BAK

2006-01-10 20:16 1,626,112 AgntTray.exe
1 File(s) 1,626,112 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

2006-10-25 18:58 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SAFEBOOT\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

2005-11-15 14:28 85,744 VPTray.exe
1 File(s) 85,744 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2004-08-02 11:00 15,360 ctfmon.exe
2004-11-01 16:22 262,144 ElkCtrl.exe
2005-12-13 18:41 77,824 hkcmd.exe
2005-12-13 18:45 118,784 igfxpers.exe
2005-12-13 18:44 98,304 igfxtray.exe
2005-12-09 14:32 225,280 LVCOMSX.EXE
2005-12-19 10:08 1,347,584 WLTRAY.exe
7 File(s) 2,145,280 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2005-10-04 13:42 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

2005-12-09 19:29 49,152 DVDLauncher.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

2005-12-07 09:26 489,472 CameraAssistant.exe
2005-12-07 09:33 73,728 InstallHelper.exe
2 File(s) 563,200 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

2004-08-02 11:00 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

2005-09-08 04:20 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\CA\UNICEN~2\AGENTS\BAK

2003-03-07 03:04 45,056 amagent.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

2004-07-27 15:50 81,920 issch.exe
2004-07-27 15:50 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

2006-07-11 07:23 1,174,528 TiVoTransfer.exe
1 File(s) 1,174,528 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

2007-01-25 13:54 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

2006-12-15 03:23 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

2002-08-28 21:39 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

2002-08-28 21:39 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP\BAK

2003-09-03 12:33 192,591 imjpmig.exe
1 File(s) 192,591 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMKR\BAK

2001-01-09 12:01 44,544 imekrmig.exe
1 File(s) 44,544 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

2007-02-26 21:30 67,128 LogitechDesktopMessenger.exe
1 File(s) 67,128 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\BAK

2007-11-21 12:45 3,104 basic.inv
1 File(s) 3,104 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\UAM\BAK

2007-11-21 12:49 30,393 amsoft.xml
2007-11-21 12:49 2,961 Compliance.mnv
2007-11-21 12:49 14,130 ENDForce.INV
2007-11-21 12:49 608 GEHCInventory.mnv
2007-11-21 12:49 46,989 IG40.INV
2007-11-21 12:49 289 PERF.INV
2007-11-21 12:49 788 Security.mnv
7 File(s) 96,158 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000003\UAM\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\OPTIONS\PACKAGES\COREAPPS\ITAMAG~1\UAM\BACKUP\AGENTS\BAK

2003-03-07 03:04 45,056 amagent.exe
1 File(s) 45,056 bytes

Directory of D:\PROGRA~1\EFAXME~1.2\BAK

2006-07-14 15:36 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of D:\PROGRA~1\ITUNES\BAK

2006-10-30 09:36 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of D:\PROGRA~1\HP\HPSOFT~1\BAK

2006-02-19 02:41 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of D:\PROGRA~1\TIVO\DESKTOP\BAK

2006-07-11 07:24 341,504 TiVoNotify.exe
2006-07-11 07:26 1,313,792 TiVoServer.exe
2 File(s) 1,655,296 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

16054 Nov 22 2007 "C:\CLIENTWS\amapp.dat"
16054 Nov 22 2007 "C:\CLIENTWS\BAK\amapp.dat"
2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"
2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"
25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"
25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"
721 Nov 22 2007 "C:\CLIENTWS\NCWORK.mnv"
721 Nov 22 2007 "C:\CLIENTWS\BAK\NCWORK.mnv"
1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"
1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"
734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"
734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"
75734 Nov 22 2007 "C:\CLIENTWS\UMISW.DAT"
75734 Nov 22 2007 "C:\CLIENTWS\BAK\UMISW.DAT"
396 Nov 22 2007 "C:\CLIENTUS\212043642\NCUSER.mnv"
396 Nov 22 2007 "C:\CLIENTUS\212043642\BAK\NCUSER.mnv"
734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"
734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
176128 Oct 7 2005 "C:\DRV\D620\Input\R113813\Apoint.exe"
176128 Oct 7 2005 "C:\SUPPORT\DRV\D620\Input\R113813\Apoint.exe"
1626112 Jan 10 2006 "C:\Program Files\ENDFORCE\bak\AgntTray.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85744 May 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 2 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 2 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 21 2001 "C:\SUPPORT\Base_Applications\Officexp\Base\Files\System\Ctfmon.exe"
8192 Feb 21 2001 "C:\SUPPORT\Software\MSOutlook\English\Files\System\Ctfmon.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\ElkCtrl.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"
77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\hkcmd.exe"
118784 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\hkcmd.exe"
77824 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\hkcmd.exe"
118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxpers.exe"
118784 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxpers.exe"
98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe"
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxtray.exe"
155648 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\igfxtray.exe"
98304 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxtray.exe"
225280 Dec 9 2005 "C:\WINDOWS\system32\LVCOMSX.EXE"
225280 Dec 9 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe"
1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe"
1347584 Dec 19 2005 "C:\DRV\D620\Network\R115321\wltray.exe"
1347584 Dec 19 2005 "C:\SUPPORT\DRV\D620\Network\R115321\wltray.exe"
48800 Dec 21 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
489472 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"
233472 Nov 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe"
106496 Nov 1 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe"
372736 Mar 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\CameraLauncherDVC.exe"
73728 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"
147456 Jul 14 2005 "C:\SUPPORT\Base_Applications\VPN_Client\CiscoVPNClient\installservice.exe"
15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"
28672 Sep 23 2005 "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
173736 Feb 24 2007 "D:\Deckard\System Scanner\backup\WINDOWS\temp\Installer.exe"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"
192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\Creator Plus-Dell Edition\DLA\install\dlactrlw.exe"
45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"
45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"
45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"
1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
26694 Oct 22 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
171448 Jan 25 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"
192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"
44032 Aug 23 2001 "C:\WINDOWS\ime\imkr6_1\imekrmig.exe"
44544 Jan 9 2001 "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe"
81920 Dec 6 2005 "C:\Program Files\Logitech\Video\LogitechUpdate.exe"
67128 Feb 26 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\basic.inv"
3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv"
30393 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml"
2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"
2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"
14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\ENDForce.INV"
14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV"
608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\GEHCInventory.mnv"
608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv"
25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"
25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"
289 May 23 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\PERF.INV"
289 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV"
1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"
1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"
45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"
45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"
45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"
107008 Jul 14 2006 "D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"
102400 Nov 14 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
267048 Nov 2 2007 "D:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
116008 Nov 14 2007 "D:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoNotify.exe"
341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"
1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoServer.exe"
1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"


end of report

#15 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 22 November 2007 - 01:30 PM

Hi again,

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders

A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:


C:\CLIENTWS\BAK\amapp.dat
C:\CLIENTWS\BAK\Compliance.mnv
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Compliance.mnv
C:\CLIENTWS\BAK\IG40.INV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\IG40.INV
C:\CLIENTWS\BAK\NCWORK.mnv
C:\CLIENTWS\BAK\security.MNV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Security.mnv
C:\CLIENTWS\BAK\UMDAT.DIF
C:\CLIENTUS\212043642\BAK\UMDAT.DIF
C:\CLIENTWS\BAK\UMISW.DAT
C:\CLIENTUS\212043642\BAK\NCUSER.mnv
C:\CLIENTWS\BAK\UMDAT.DIF
C:\CLIENTUS\212043642\BAK\UMDAT.DIF
C:\Program Files\Apoint\bak\Apoint.exe
C:\Program Files\ENDFORCE\bak\AgntTray.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\ElkCtrl.exe
C:\WINDOWS\system32\bak\hkcmd.exe
C:\WINDOWS\system32\bak\igfxpers.exe
C:\WINDOWS\system32\bak\igfxtray.exe
C:\WINDOWS\system32\bak\LVCOMSX.EXE
C:\WINDOWS\system32\bak\WLTRAY.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe
C:\Program Files\Logitech\Video\bak\CameraAssistant.exe
C:\Program Files\Logitech\Video\bak\InstallHelper.exe
C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe
C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE
C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe
C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe
C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe
C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe
C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE
C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE
C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe
C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe
C:\Program Files\CA\DSM\Agent\units�000001\BAK\basic.inv
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\amsoft.xml
C:\CLIENTWS\BAK\Compliance.mnv
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Compliance.mnv
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\ENDForce.INV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\GEHCInventory.mnv
C:\CLIENTWS\BAK\IG40.INV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\IG40.INV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\PERF.INV
C:\CLIENTWS\BAK\security.MNV
C:\Program Files\CA\DSM\Agent\units�000001\uam\BAK\Security.mnv
C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe
C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe
D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe
D:\Program Files\iTunes\bak\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe
D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe


Next, close and click Yes to save the changes.

Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders

When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#16 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 November 2007 - 01:38 PM

Hi again, and here is the latest log:

------------------------------------


Find AWF report by noahdfear 2006
Version 1.40
Option 3 run successfully

The current date is: 2007-11-22
The current time is: 13:34:41.29


bak folders found
~~~~~~~~~~~


Directory of C:\CLIENTWS\BAK

2007-11-22 11:57 16,054 amapp.dat
2007-11-22 11:58 2,744 Compliance.mnv
2007-11-22 11:58 25,563 IG40.INV
2007-11-22 11:58 721 NCWORK.mnv
2007-11-22 11:58 1,620 security.MNV
2007-11-22 11:58 734 UMDAT.DIF
2007-11-22 11:57 75,734 UMISW.DAT
7 File(s) 123,170 bytes

Directory of C:\CLIENTUS\212043~1\BAK

2007-11-22 11:55 396 NCUSER.mnv
2007-05-08 07:53 412 UMDAT.DIF
2 File(s) 808 bytes

Directory of C:\PROGRA~1\APOINT\BAK

2005-10-07 15:13 176,128 Apoint.exe
1 File(s) 176,128 bytes

Directory of C:\PROGRA~1\ENDFORCE\BAK

2006-01-10 20:16 1,626,112 AgntTray.exe
1 File(s) 1,626,112 bytes

Directory of C:\PROGRA~1\MSNMES~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

2006-10-25 18:58 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\PROGRA~1\SAFEBOOT\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\SYMANT~1\BAK

2005-11-15 14:28 85,744 VPTray.exe
1 File(s) 85,744 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

2004-08-02 11:00 15,360 ctfmon.exe
2004-11-01 16:22 262,144 ElkCtrl.exe
2005-12-13 18:41 77,824 hkcmd.exe
2005-12-13 18:45 118,784 igfxpers.exe
2005-12-13 18:44 98,304 igfxtray.exe
2005-12-09 14:32 225,280 LVCOMSX.EXE
2005-12-19 10:08 1,347,584 WLTRAY.exe
7 File(s) 2,145,280 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

2005-10-04 13:42 48,752 ccApp.exe
1 File(s) 48,752 bytes

Directory of C:\PROGRA~1\CYBERL~1\POWERDVD\BAK

2005-12-09 19:29 49,152 DVDLauncher.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK

2005-12-07 09:26 489,472 CameraAssistant.exe
2005-12-07 09:33 73,728 InstallHelper.exe
2 File(s) 563,200 bytes

Directory of C:\WINDOWS\IME\IMJP8_1\BAK

2004-08-02 11:00 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

2005-09-08 04:20 122,940 DLACTRLW.EXE
1 File(s) 122,940 bytes

Directory of C:\PROGRA~1\CA\UNICEN~2\AGENTS\BAK

2003-03-07 03:04 45,056 amagent.exe
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\BAK

2004-07-27 15:50 81,920 issch.exe
2004-07-27 15:50 221,184 ISUSPM.exe
2 File(s) 303,104 bytes

Directory of C:\PROGRA~1\COMMON~1\TIVOSH~1\TRANSFER\BAK

2006-07-11 07:23 1,174,528 TiVoTransfer.exe
1 File(s) 1,174,528 bytes

Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\121128~1.546\BAK

2007-01-25 13:54 171,448 GoogleToolbarNotifier.exe
1 File(s) 171,448 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~2.0_1\BIN\BAK

2006-12-15 03:23 75,520 jusched.exe
1 File(s) 75,520 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\PINTLGNT\BAK

2002-08-28 21:39 59,392 ImScInst.exe
1 File(s) 59,392 bytes

Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK

2002-08-28 21:39 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMJP\BAK

2003-09-03 12:33 192,591 imjpmig.exe
1 File(s) 192,591 bytes

Directory of C:\PROGRA~1\COMMON~1\MICROS~1\IME\IMKR\BAK

2001-01-09 12:01 44,544 imekrmig.exe
1 File(s) 44,544 bytes

Directory of C:\PROGRA~1\LOGITECH\DESKTO~1\8876480\PROGRAM\BAK

2007-02-26 21:30 67,128 LogitechDesktopMessenger.exe
1 File(s) 67,128 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\BAK

2007-11-21 12:45 3,104 basic.inv
1 File(s) 3,104 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000001\UAM\BAK

2007-11-21 12:49 30,393 amsoft.xml
2007-11-21 12:49 2,961 Compliance.mnv
2007-11-21 12:49 14,130 ENDForce.INV
2007-11-21 12:49 608 GEHCInventory.mnv
2007-11-21 12:49 46,989 IG40.INV
2007-11-21 12:49 289 PERF.INV
2007-11-21 12:49 788 Security.mnv
7 File(s) 96,158 bytes

Directory of C:\PROGRA~1\CA\DSM\AGENT\UNITS000003\UAM\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\OPTIONS\PACKAGES\COREAPPS\ITAMAG~1\UAM\BACKUP\AGENTS\BAK

2003-03-07 03:04 45,056 amagent.exe
1 File(s) 45,056 bytes

Directory of D:\PROGRA~1\EFAXME~1.2\BAK

2006-07-14 15:36 107,008 J2GDllCmd.exe
1 File(s) 107,008 bytes

Directory of D:\PROGRA~1\ITUNES\BAK

2006-10-30 09:36 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of D:\PROGRA~1\HP\HPSOFT~1\BAK

2006-02-19 02:41 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes

Directory of D:\PROGRA~1\TIVO\DESKTOP\BAK

2006-07-11 07:24 341,504 TiVoNotify.exe
2006-07-11 07:26 1,313,792 TiVoServer.exe
2 File(s) 1,655,296 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

16054 Nov 22 2007 "C:\CLIENTWS\amapp.dat"
16054 Nov 22 2007 "C:\CLIENTWS\BAK\amapp.dat"
2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"
2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"
25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"
25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"
721 Nov 22 2007 "C:\CLIENTWS\NCWORK.mnv"
721 Nov 22 2007 "C:\CLIENTWS\BAK\NCWORK.mnv"
1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"
1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"
734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"
734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"
75734 Nov 22 2007 "C:\CLIENTWS\UMISW.DAT"
75734 Nov 22 2007 "C:\CLIENTWS\BAK\UMISW.DAT"
396 Nov 22 2007 "C:\CLIENTUS\212043642\NCUSER.mnv"
396 Nov 22 2007 "C:\CLIENTUS\212043642\BAK\NCUSER.mnv"
734 Nov 22 2007 "C:\CLIENTWS\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\UMDAT.DIF"
734 Nov 22 2007 "C:\CLIENTWS\BAK\UMDAT.DIF"
412 May 8 2007 "C:\CLIENTUS\212043642\BAK\UMDAT.DIF"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
176128 Oct 7 2005 "C:\DRV\D620\Input\R113813\Apoint.exe"
176128 Oct 7 2005 "C:\SUPPORT\DRV\D620\Input\R113813\Apoint.exe"
1626112 Jan 10 2006 "C:\Program Files\ENDFORCE\bak\AgntTray.exe"
286720 Oct 19 2007 "C:\Program Files\QuickTime\QTTask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
85744 May 27 2006 "C:\Program Files\Symantec AntiVirus\VPTray.exe"
85744 Nov 15 2005 "C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
15360 Aug 2 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 2 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
8192 Feb 21 2001 "C:\SUPPORT\Base_Applications\Officexp\Base\Files\System\Ctfmon.exe"
8192 Feb 21 2001 "C:\SUPPORT\Software\MSOutlook\English\Files\System\Ctfmon.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\ElkCtrl.exe"
262144 Nov 1 2004 "C:\WINDOWS\system32\bak\ElkCtrl.exe"
77824 Dec 13 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Dec 13 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
77824 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\hkcmd.exe"
118784 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\hkcmd.exe"
77824 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\hkcmd.exe"
118784 Dec 13 2005 "C:\WINDOWS\system32\igfxpers.exe"
118784 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
118784 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxpers.exe"
118784 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxpers.exe"
98304 Dec 13 2005 "C:\WINDOWS\system32\igfxtray.exe"
98304 Dec 13 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
98304 Dec 13 2005 "C:\DRV\D620\Video\R114946\Win2000\igfxtray.exe"
155648 Oct 2 2003 "C:\WINDOWS\drivers\intel\graphics\Win2000\igfxtray.exe"
98304 Dec 13 2005 "C:\SUPPORT\DRV\D620\Video\R114946\Win2000\igfxtray.exe"
225280 Dec 9 2005 "C:\WINDOWS\system32\LVCOMSX.EXE"
225280 Dec 9 2005 "C:\WINDOWS\system32\bak\LVCOMSX.EXE"
1347584 Dec 19 2005 "C:\WINDOWS\system32\WLTRAY.exe"
1347584 Dec 19 2005 "C:\WINDOWS\system32\bak\WLTRAY.exe"
1347584 Dec 19 2005 "C:\DRV\D620\Network\R115321\wltray.exe"
1347584 Dec 19 2005 "C:\SUPPORT\DRV\D620\Network\R115321\wltray.exe"
48800 Dec 21 2005 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
48752 Oct 4 2005 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Dec 9 2005 "C:\Program Files\CyberLink\PowerDVD\bak\DVDLauncher.exe"
489472 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\CameraAssistant.exe"
233472 Nov 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowMC\CameraLauncherMC.exe"
106496 Nov 1 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC6\CameraLauncher.exe"
372736 Mar 2 2005 "D:\Program Files\Canon\CameraWindow\CameraWindowDVC\CameraLauncherDVC.exe"
73728 Dec 7 2005 "C:\Program Files\Logitech\Video\bak\InstallHelper.exe"
147456 Jul 14 2005 "C:\SUPPORT\Base_Applications\VPN_Client\CiscoVPNClient\installservice.exe"
15872 Feb 21 2003 "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\InstallUtil.exe"
28672 Sep 23 2005 "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe"
173736 Feb 24 2007 "D:\Deckard\System Scanner\backup\WINDOWS\temp\Installer.exe"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"
192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\WINDOWS\system32\DLA\bak\DLACTRLW.EXE"
122940 Sep 8 2005 "C:\Program Files\Roxio\Creator Plus-Dell Edition\DLA\install\dlactrlw.exe"
45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"
45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"
45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"
81920 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe"
221184 Jul 27 2004 "C:\Program Files\Common Files\InstallShield\UpdateService\bak\ISUSPM.exe"
1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe"
1174528 Jul 11 2006 "C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
52272 Jan 25 2007 "C:\Program Files\Google\googletoolbar2user.exe"
69632 Sep 12 2007 "C:\Program Files\Google\Google Earth\googleearth.exe"
26694 Oct 22 2007 "C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe"
171448 Jan 25 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\bak\GoogleToolbarNotifier.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
132496 Sep 25 2007 "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\bak\jusched.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe"
59392 Aug 28 2002 "C:\WINDOWS\system32\IME\PINTLGNT\bak\ImScInst.exe"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE"
455168 Aug 28 2002 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\IMJPMIG.EXE"
208952 Aug 2 2004 "C:\WINDOWS\ime\imjp8_1\bak\IMJPMIG.EXE"
192591 Sep 2 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\IMJPMIG.EXE"
192591 Sep 3 2003 "C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\bak\imjpmig.exe"
44032 Aug 23 2001 "C:\WINDOWS\ime\imkr6_1\imekrmig.exe"
44544 Jan 9 2001 "C:\Program Files\Common Files\Microsoft Shared\IME\IMKR\bak\imekrmig.exe"
81920 Dec 6 2005 "C:\Program Files\Logitech\Video\LogitechUpdate.exe"
67128 Feb 26 2007 "C:\Program Files\Logitech\Desktop Messenger\8876480\Program\bak\LogitechDesktopMessenger.exe"
3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\basic.inv"
3104 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\BAK\basic.inv"
30393 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\amsoft.xml"
2744 Nov 22 2007 "C:\CLIENTWS\Compliance.mnv"
2744 Nov 22 2007 "C:\CLIENTWS\BAK\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Compliance.mnv"
2961 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Compliance.mnv"
14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\ENDForce.INV"
14130 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\ENDForce.INV"
608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\GEHCInventory.mnv"
608 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\GEHCInventory.mnv"
25563 Nov 22 2007 "C:\CLIENTWS\IG40.INV"
25563 Nov 22 2007 "C:\CLIENTWS\BAK\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\IG40.INV"
46989 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\IG40.INV"
289 May 23 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\PERF.INV"
289 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\PERF.INV"
1620 Nov 22 2007 "C:\CLIENTWS\security.MNV"
1620 Nov 22 2007 "C:\CLIENTWS\BAK\security.MNV"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\Security.mnv"
788 Nov 21 2007 "C:\Program Files\CA\DSM\Agent\units000001\uam\BAK\Security.mnv"
45056 Mar 6 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\AMAGENT.EXE"
45056 Mar 7 2003 "C:\Program Files\CA\Unicenter Asset Management\Agents\bak\amagent.exe"
45056 Mar 6 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\SRC\AMAGENT.EXE"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\amagent.exe"
45056 Mar 7 2003 "C:\WINDOWS\Options\Packages\Coreapps\ITAMAgents\UAM\Backup\Agents\bak\amagent.exe"
107008 Jul 14 2006 "D:\Program Files\eFax Messenger 4.2\bak\J2GDllCmd.exe"
102400 Nov 14 2007 "C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe"
267048 Nov 2 2007 "D:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "D:\Program Files\iTunes\bak\iTunesHelper.exe"
116008 Nov 14 2007 "D:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.5.0.20\iTunesSetupAdmin.exe"
49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\hpwuSchd2.exe"
49152 Feb 19 2006 "D:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoNotify.exe"
341504 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoNotify.exe"
1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\TiVoServer.exe"
1313792 Jul 11 2006 "D:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"


end of report

#17 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 22 November 2007 - 01:44 PM

Hi again,

Double-click the FindAWF icon once again

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones

This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT

Then please post a new HiJackThis log, and let me know how your PC is running now.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#18 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 22 November 2007 - 01:54 PM

Hi Jedi, did all suggested, and following is latest HijackThis log - computer appears to be running without problems now:

----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:53, on 2007-11-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\SafeBoot\SBMGRNT.EXE
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Lavasoft\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
c:\Program Files\CA\SC\CAM\bin\cam.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
c:\Program Files\ENDFORCE\AgentAPI.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\UMCSTUB.EXE
c:\Program Files\CA\DSM\bin\caf.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\CA\DSM\Bin\cfsmsmd.exe
c:\Program Files\CA\DSM\Bin\ccnfagent.exe
c:\Program Files\CA\DSM\Bin\cfnotsrvd.exe
c:\Program Files\CA\DSM\Bin\ccsmagtd.exe
c:\Program Files\CA\DSM\Bin\amswmagt.exe
c:\Program Files\CA\DSM\PMAgent\capmuamagt.exe
c:\Program Files\CA\DSM\Bin\cfftplugin.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CA\DSM\bin\cfSysTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://healthcare.home.ge.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://healthcare.home.ge.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://gems.setpac.ge.com:1533/pac.pac
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SupportCentral - {E5CA3FCB-32F0-4602-A3FD-0785E3F0F5BF} - C:\WINDOWS\System32\SCTOOL~1.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SBMGRNT.EXE] C:\PROGRA~1\SafeBoot\SBMGRNT.EXE -WinLogon
O4 - HKLM\..\Run: [CA-AMAgent] "C:\Program Files\CA\Unicenter Asset Management\Agents\amagent.exe"
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [DsmSxplog] "c:\Program Files\CA\DSM\Bin\sxpstub.exe"
O4 - HKLM\..\Run: [CAF_SystemTray] "c:\Program Files\CA\DSM\bin\cfSysTray.exe"
O4 - HKLM\..\Run: [DLCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [2] \\am.med.ge.com\sysvol\am.med.ge.com\scripts\Unicenter\DSMSDAMV2.exe
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Startup: Infotriever.lnk = C:\Program Files\Infotriever\Agent\infoclient.exe
O4 - Startup: Yahoo! Widget Engine.lnk = D:\Program Files\Yahoo!\Widgets\YahooWidgetEngine.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmone\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = ?
O4 - Global Startup: Mobile Suite Client.lnk = C:\Program Files\Intellisync Mobile Suite\Client\ClientShell.exe
O4 - Global Startup: RealSecure® Desktop Protector.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\aol\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://healthcare.home.ge.com
O16 - DPF: Sametime MRC 651FP1 - http://medmeeting01....gRoomClient.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=67633
O16 - DPF: {09141A78-37A9-46CF-ACE9-AE0E4684B981} (Siebel High Interactivity Framework) - http://svc.med.ge.co...x_HI_Client.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {36E4E9BC-4D0C-41B4-90C9-37AFDBFAAD3C} (InforbitHelper Class) - https://download.inf...in/ifhelper.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by111w.bay111...es/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {819647C8-39C0-4C59-811C-928277815701} (Siebel Email Support for Microsoft Outlook and Lotus Notes) - http://svc.med.ge.co...tBound_mail.cab
O16 - DPF: {8C244272-1DC1-4CE7-9C6C-FABCA09EB543} (Siebel Desktop Integration) - http://svc.med.ge.co...Integration.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {8F0DF9DB-AA5A-4ED0-9176-1C4A9C762C59} (JNILoader Control) - http://medmeeting01....STJNILoader.cab
O16 - DPF: {DCBDA427-FB4C-46BF-A442-41EC5BA87F1B} - https://racalendarpl...000RCOGN000.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://emeetings.we...bex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\Software\..\Telephony: DomainName = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.am.health.ge.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = am.health.ge.com,health.ge.com,am.med.ge.com,med.ge.com,e2k.ad.ge.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CAF - c:\Program Files\CA\DSM\Bin\cfwlogon.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\Program Files\Lavasoft\aawservice.exe
O23 - Service: Asset Management Agent (AmoAgent) - Computer Associates International, Inc. - C:\WINDOWS\UMCSTUB.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: CA Message Queuing Server (CA-MessageQueuing) - CA, Inc. - c:\Program Files\CA\SC\CAM\bin\cam.exe
O23 - Service: CA DSM r11 Common Application Framework. (caf) - CA - c:\Program Files\CA\DSM\bin\caf.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcf_device - - C:\WINDOWS\system32\dlcfcoms.exe
O23 - Service: ENDFORCE Agent API - ENDFORCE, Inc. - c:\Program Files\ENDFORCE\AgentAPI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: SafeBoot Configuration Manager (SafeBootConfigurationManager) - Control Break International - C:\Program Files\SafeBoot\SBMGRNT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14230 bytes

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 23 November 2007 - 04:52 AM

Hi again,

Your log looks clean. :thumbsup:

In order to be better protected in the future, I recommend the following programs:

SpywareBlaster protects against bad ActiveX.
http://www.javacools...areblaster.html

SpywareGuard stops Spyware from being installed.
http://www.javacools...ywareguard.html

Also install the MVPS hosts file:
http://www.mvps.org/...p2002/hosts.htm
which blocks innocent looking sites that are not so innocent.

All three are very small free programs that you run once, and then just occasionally to check for updates.

Also see
How did I get Infected?

Finally, it is best to update your system regularly, to ensure you have the latest security patches from Microsoft. Update by clicking
here http://v4.windowsupdate.microsoft.com/
and following the prompts.

jedi :)
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#20 victorb

victorb

    Member

  • Full Member
  • Pip
  • 12 posts

Posted 24 November 2007 - 04:43 PM

Many thanks for all the help Jedi, it is really very much appreciated. I hope you enjoy a very happy holiday season.

Best wishes,

victorb

#21 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 25 November 2007 - 04:33 AM

You're most welcome. Happy holidays to you and yours also.

jedi :wave:
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#22 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Administrators
  • PipPipPipPipPip
  • 15,808 posts

Posted 26 November 2007 - 05:02 PM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button