Help to remove PSW Trojan Horse

Computing.Net > Forums > Security and Virus > Help to remove PSW Trojan Horse

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Help to remove PSW Trojan Horse

Original Message

Name: ZGMFX05A
Date: July 3, 2008 at 18:50:50 Pacific
Subject: Help to remove PSW Trojan Horse
OS: Windows XP
CPU/Ram: 1GB

Comment:

Hi,
My computer is recently troubled by this PSW trojan horse which I failed to remove using Ad-aware 6, Spybot and AVG Free 8.0. The problem returns even after removing the threat using AVG. I have read in this forum about the use of HJT to scan the computer. Help is needed and I kindly hope that anyone with the expertise in this can help me out. Thank you. Please inform me if there is a need for me to post the log. Thank you

Report Offensive Message For Removal

Response Number 1

Name: btk1w1
Date: July 3, 2008 at 19:58:01 Pacific

Reply: (edit)

Heya ZGMFX05A,
Can you post your HJT log.

Report Offensive Follow Up For Removal

Response Number 2

Name: ZGMFX05A
Date: July 6, 2008 at 00:53:56 Pacific

Reply: (edit)

Hi btklwl, The below is my log. Thank you for your attention.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:50:58 PM, on 7/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exeac
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\CTHELPER.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: skqncbib.dll - {32023698-6984-8541-9654-698745012523} - (no file)
O2 - BHO: zywlcime.dll - {37A924AF-1A5F-CF21-AB1D-1D5CF82A8A73} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: lofsdjbo.dll - {470165F1-9F65-569F-F895-F14F58F41074} - (no file)
O2 - BHO: akjsdkaq.dll - {4A908760-8000-4000-A000-9000322145A4} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: zxmsdwin.dll - {7A041F13-A111-12A3-B0CF-F99818AA68A7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: apsggjba.dll - {7FD45A54-9875-698F-E56E-65102358FDF7} - (no file)
O2 - BHO: mndshsrv.dll - {87FD640A-158F-48AC-FD14-1597F14A9778} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/1502...
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://cid-7953bf3b33480434.spaces....
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/1502...
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binar...
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: SysCvCWm.dll,skqncbib.dll,akjsdkaq.dll,avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Apache Tomcat (Tomcat5) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 5.5\bin\tomcat5.exe
--
End of file - 8952 bytes

Report Offensive Follow Up For Removal

Response Number 3

Name: btk1w1
Date: July 6, 2008 at 18:59:57 Pacific

Reply: (edit)

Heya ZGMFX05A
Download FindAWF to your desktop.
Click here to download FindAWF
Once the download has finished:
1) Double click FindAWF.exe to run it.
2) Press any key when prompted to continue.
3) When the menu appears select option 1 and press enter.
4) When the notepad document appears copy and paste the contents back here.

Report Offensive Follow Up For Removal

Response Number 4

Name: ZGMFX05A
Date: July 6, 2008 at 20:20:34 Pacific

Reply: (edit)

Hi,
As instructed, the below is the notepad info.

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Mon 07/07/2008
The current time is: 10:58:15.09

bak folders found
~~~~~~~~~~~

Directory of C:\WINDOWS\BAK
05/11/2000 01:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes
Directory of C:\PROGRA~1\DAEMON~1\BAK
08/29/2007 11:09 PM 171,464 daemon.exe
1 File(s) 171,464 bytes
Directory of C:\PROGRA~1\ITUNES\BAK
09/07/2007 04:55 PM 267,064 iTunesHelper.exe
1 File(s) 267,064 bytes
Directory of C:\PROGRA~1\MSNMES~1\BAK
0 File(s) 0 bytes
Directory of C:\PROGRA~1\POWERISO\BAK
08/07/2007 08:05 AM 200,704 PWRISOVM.EXE
1 File(s) 200,704 bytes
Directory of C:\PROGRA~1\QUICKT~1\BAK
06/29/2007 06:24 AM 286,720 QTTask.exe
1 File(s) 286,720 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 12:56 AM 15,360 ctfmon.exe
07/09/2001 10:50 AM 155,648 NeroCheck.exe
2 File(s) 171,008 bytes
Directory of C:\PROGRA~1\CREATIVE\SBDRIV~1\BAK
12/03/2002 06:06 PM 45,056 SBDrvDet.exe
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SPLASH~1\BAK
09/13/2002 01:04 AM 49,152 CTEaxSpl.EXE
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\GRISOFT\AVG7\BAK
09/14/2007 07:18 PM 421,888 avgcc.exe
1 File(s) 421,888 bytes
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK
01/12/2005 02:54 PM 241,664 hpcmpmgr.exe
1 File(s) 241,664 bytes
Directory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/16/2005 11:11 PM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK
06/30/2003 08:56 PM 188,416 ISStart.exe
06/30/2003 09:00 PM 65,536 LogiTray.exe
2 File(s) 253,952 bytes
Directory of C:\WINDOWS\IME\IMJP8_1\BAK
08/03/2004 10:32 PM 208,952 IMJPMIG.EXE
1 File(s) 208,952 bytes
Directory of C:\PROGRA~1\COMMON~1\AHEAD\LIB\BAK
11/24/2005 03:38 PM 94,208 NMBgMonitor.exe
1 File(s) 94,208 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
02/05/2006 01:27 AM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK
09/30/2002 01:00 AM 45,056 CTDVDDet.EXE
1 File(s) 45,056 bytes
Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK
10/29/2002 09:18 AM 49,152 CTSysVol.exe
1 File(s) 49,152 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~2.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes
Directory of C:\PROGRA~1\SONYER~1\MOBILE2\APPLIC~1\BAK
0 File(s) 0 bytes
Directory of C:\WINDOWS\SYSTEM32\IME\TINTLGNT\BAK
08/03/2004 10:32 PM 455,168 TINTSETP.EXE
1 File(s) 455,168 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
171464 Aug 29 2007 "C:\Program Files\DAEMON Tools\bak\daemon.exe"
267048 Mar 30 2008 "C:\Program Files\iTunes\iTunesHelper.exe"
267064 Sep 7 2007 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Apr 4 2008 "C:\WINDOWS\Installer\{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}\iTunesIco.exe"
75048 Apr 4 2008 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.6.2.9\iTunesSetupAdmin.exe"
75048 Apr 4 2008 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\8XW58445\iTunesSetupAdmin[1].exe"
116024 Sep 12 2007 "C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FPYPGAUF\iTunesSetupAdmin[1].exe"
200704 Aug 7 2007 "C:\Program Files\PowerISO\bak\PWRISOVM.EXE"
413696 Mar 28 2008 "C:\Program Files\QuickTime\QTTask.exe"
286720 Jun 29 2007 "C:\Program Files\QuickTime\bak\QTTask.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
155648 Jul 9 2001 "C:\WINDOWS\system32\bak\NeroCheck.exe"
45056 Dec 3 2002 "C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
49152 Sep 13 2002 "C:\Program Files\Creative\Splash Screen\bak\CTEaxSpl.EXE"
421888 Sep 14 2007 "C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
241664 Jan 12 2005 "C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
49152 Feb 16 2005 "C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
188416 Jun 30 2003 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
65536 Jun 30 2003 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\imjpmig.exe"
208952 Aug 3 2004 "C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
94208 Nov 24 2005 "C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
180269 Feb 5 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
45056 Sep 30 2002 "C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
49152 Oct 29 2002 "C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
49263 Oct 12 2006 "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
83608 Mar 14 2007 "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jdk1.5.0_06\jre\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
455168 Aug 3 2004 "C:\WINDOWS\system32\IME\TINTLGNT\tintsetp.exe"
455168 Aug 3 2004 "C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"

end of report

Report Offensive Follow Up For Removal

Response Number 5

Name: btk1w1
Date: July 6, 2008 at 21:08:44 Pacific

Reply: (edit)

Heya ZGMFX05A,
Temporarily disable any real-time protection until the infection is cleaned. Remember to turn any back on once we have finished.
Click here for instructions to Temporarily Disable Real Time Monitoring Programs
FindAWF
1) Double click FindAWF.exe
2) Press any key when prompted to continue.
3) When the menu appears select option 2 and press enter.
4) A text file will open called files.txt Click below the line and copy / paste the following Red text below of files to be restored:
"C:\WINDOWS\bak\UpdReg.EXE"
"C:\Program Files\DAEMON Tools\bak\daemon.exe"
"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\PowerISO\bak\PWRISOVM.EXE"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Creative\SB Drive Det\bak\SBDrvDet.exe"
"C:\Program Files\Creative\Splash Screen\bak\CTEaxSpl.EXE"
"C:\Program Files\Grisoft\AVG7\bak\avgcc.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\Logitech\Video\bak\ISStart.exe"
"C:\Program Files\Logitech\Video\bak\LogiTray.exe"
"C:\WINDOWS\ime\IMJP8_1\bak\IMJPMIG.EXE"
"C:\Program Files\Common Files\Ahead\Lib\bak\NMBgMonitor.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Creative\SBAudigy2\DVDAudio\bak\CTDVDDet.EXE"
"C:\Program Files\Creative\SBAudigy2\Surround Mixer\bak\CTSysVol.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"
"C:\WINDOWS\system32\IME\TINTLGNT\bak\TINTSETP.EXE"
5) Close the text document and click "Yes" to Save the changes
Once files.txt is saved, FindAWF does the following:
-Attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, FindAWF automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
[Edit] Please post a fresh HJT log also [End Edit]

Report Offensive Follow Up For Removal


Trojan Horse keeps reappearing Help to remove trojan horse BHO.EOV Trojan Horse..please help Help Me to Remove the Trojan How to remove Downloader.Trojan ?	How to remove trojan Byteverify how to remove a trojan Help me get rid of - Trojan Horse NEw TROJAN HORSE BACKDOOR BV 9.N 5 trojan horses

AVG Free 8.0 Won't Update

the virus I hate using Mo...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Do you have your own blog?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Video card and montior DDC informat

Netowrk Connection with LInksys

two trojan viruses

ME product key. Generic?

rsync problem

All Awaiting Reply