Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.Please download FindAWL from this link FindAWF
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.
0 
thank you so much....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:53 PM, on 10/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\NALNTSRV.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\ncsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\NWTRAY.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\NOVELL\ZENRC\wuser32.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remoteaccess.veoliaes.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINDOWS\System32\ncsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe--
End of file - 8106 bytes
Find AWF report by noahdfear ©2006
Version 1.40The current date is: Wed 10/24/2007
The current time is: 22:04:45.32
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\SYMANT~1\BAK05/26/2006 09:01 PM 124,656 VPTray.exe
1 File(s) 124,656 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
12/21/2004 11:11 AM 126,976 hkcmd.exe
12/21/2004 11:16 AM 155,648 igfxtray.exe
2 File(s) 282,624 bytesDirectory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK
09/23/2004 12:41 PM 860,160 Smax4.exe
10/14/2004 09:11 AM 1,388,544 SMax4PNP.exe
2 File(s) 2,248,704 bytesDirectory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
03/07/2006 01:02 PM 53,408 ccApp.exe
1 File(s) 53,408 bytesDirectory of C:\PROGRA~1\FUNKSO~1\PROXYH~1\BAK
02/17/2004 04:50 PM 230,544 phtray.exe
1 File(s) 230,544 bytesDirectory of C:\PROGRA~1\HP\HPCORE~1\BAK
06/26/2003 07:50 PM 212,992 hpcmpmgr.exe
1 File(s) 212,992 bytesDirectory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/17/2005 12:11 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytesDirectory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK
09/07/2004 04:28 PM 213,054 cpqset.exe
1 File(s) 213,054 bytesDirectory of C:\PROGRA~1\IBM\CLIENT~1\BAK
05/07/2002 05:20 AM 45,056 cwbckver.exe
05/07/2002 05:20 AM 24,626 cwbinhlp.exe
05/07/2002 05:20 AM 20,530 cwbsvstr.exe
05/07/2002 05:20 AM 20,530 cwbwlwiz.exe
4 File(s) 110,742 bytesDirectory of C:\PROGRA~1\INTERV~1\DVDCHE~1\BAK
12/08/2004 06:44 PM 184,320 DVDCheck.exe
1 File(s) 184,320 bytesDirectory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
09/22/2005 06:29 PM 303,104 mcagent.exe
01/11/2006 12:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytesDirectory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
11/04/2004 06:38 PM 688,218 SynTPEnh.exe
11/04/2004 06:40 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK
09/25/2004 02:37 AM 1,691,648 DrgToDsc.exe
1 File(s) 1,691,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
0
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)Please post the log it produces.
0
thanks again...
ComboFix 07-10-23.1 - onyxtech 2007-10-24 22:30:07.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.118 [GMT -4:00]
Running from: C:\Documents and Settings\onyxtech\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.2007-10-24 13:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 12:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 14:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-22 16:50 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-22 16:50 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-22 16:46 <DIR> d-------- C:\SAVINST
2007-10-03 12:33 <DIR> d-------- C:\Program Files\Webroot
2007-10-03 12:33 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-03 12:33 <DIR> d-------- C:\Documents and Settings\onyxtech\Application Data\Webroot
2007-10-03 12:32 72,008 --a------ C:\WINDOWS\Unwash6.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 00:29 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-22 20:50 --------- d-----w C:\Program Files\Symantec
2007-10-22 20:50 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-09-07 22:03 --------- d-----w C:\Program Files\McAfee
2007-09-07 22:00 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-07 21:59 --------- d-----w C:\Program Files\McAfee.com
1998-12-09 01:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.((((((((((((((((((((((((((((( snapshot@2007-10-24_13.23.33.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-21 01:17:30 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-25 00:30:34 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-08-21 01:17:30 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-25 00:30:34 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-25 00:29:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a38.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 40,048 2007-05-11 07:06:32 C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe----a-w 860,160 2004-09-23 16:41:54 C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe
----a-w 1,388,544 2004-10-14 13:11:10 C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe
----a-w 53,408 2006-03-07 17:02:14 C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
----a-w 52,896 2006-07-19 23:26:04 C:\Program Files\Common Files\Symantec Shared\ccApp.exe----a-w 230,544 2004-02-17 20:50:34 C:\Program Files\Funk Software\Proxy Host\bak\phtray.exe
----a-w 49,152 2005-02-17 04:11:42 C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe
----a-w 212,992 2003-06-26 23:50:24 C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe
----a-w 324 2007-09-12 21:52:47 C:\Program Files\HP\hpcoretech\bak\data\EvntData-2067881625.xml
----a-w 213,054 2004-09-07 20:28:26 C:\Program Files\HPQ\Default Settings\bak\cpqset.exe
----a-w 45,056 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbckver.exe
----a-w 24,626 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe
----a-w 184,320 2004-12-08 22:44:36 C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe
----a-w 303,104 2005-09-22 22:29:08 C:\Program Files\McAfee.com\Agent\bak\mcagent.exe
----a-w 566,872 2007-01-05 20:21:16 C:\Program Files\McAfee.com\Agent\mcagent.exe----a-w 212,992 2006-01-11 16:05:42 C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe
----a-w 390,744 2007-01-05 20:22:16 C:\Program Files\McAfee.com\Agent\mcupdate.exe----a-w 1,691,648 2004-09-25 06:37:42 C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe
----a-w 124,656 2006-05-27 01:01:58 C:\Program Files\Symantec AntiVirus\bak\VPTray.exe
----a-w 125,168 2006-09-28 00:33:44 C:\Program Files\Symantec AntiVirus\VPTray.exe----a-w 688,218 2004-11-04 22:38:54 C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe
----a-w 98,394 2004-11-04 22:40:08 C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe
----a-w 126,976 2004-12-21 15:11:32 C:\WINDOWS\system32\bak\hkcmd.exe
----a-w 155,648 2004-12-21 15:16:10 C:\WINDOWS\system32\bak\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 C:\WINDOWS\AGRSMMSG.exe]
"ZENRC Tray Icon"="zentray.exe" [2001-06-15 08:21 C:\WINDOWS\system32\zentray.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 05:37 C:\WINDOWS\system32\nwtray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 19:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-09-27 20:33][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:46][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)
"DisableChangePassword"=1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"=1 (0x1)
"NoLogoff"=0 (0x0)[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\System32\drivers\nicm.sys
R0 NwFilter;Novell UNC Path Filter;C:\WINDOWS\System32\NetWare\NwFilter.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\System32\drivers\UDFReadr.sys
R2 BlankScreen;HBDevice;C:\WINDOWS\System32\drivers\BlankScreen.sys
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys
R2 KBSTUFF;KBSTUFF;C:\WINDOWS\System32\drivers\KBSTUFF.sys
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys
R2 neoNcSvc;Virtual Com Port Service;C:\WINDOWS\System32\ncsvc.exe
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\System32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\System32\NetWare\nwdhcp.sys
R2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\System32\NetWare\nwsipx32.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\System32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\System32\NetWare\srvloc.sys
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\System32\DRIVERS\gtipci21.sys
R3 ncvcp;Network Connect Virtual Com Port;C:\WINDOWS\System32\DRIVERS\nsvcp.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\System32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\System32\NetWare\NWHOST.sys
R3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\System32\NetWare\NWSAP.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\System32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\System32\NetWare\NWSNS.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\System32\cusrvc.exe*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:57:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1139424837.job"
"2007-09-07 22:00:23 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-07 22:00:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-24 22:31:02
Windows 5.1.2600 Service Pack 1 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-24 22:31:58
C:\ComboFix2.txt ... 2007-10-24 13:24
.
--- E O F ---
0
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak foldersA text file opens called: files.txt
Click below the line and paste the following list of files to be restored:
"C:\Program Files\Adobe\Reader 8.0\Reader\bak\Reader_sl.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\Smax4.exe"
"C:\Program Files\Analog Devices\SoundMAX\bak\SMax4PNP.exe"
"C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
"C:\Program Files\Funk Software\Proxy Host\bak\phtray.exe"
"C:\Program Files\HP\HP Software Update\bak\HPWuSchd2.exe"
"C:\Program Files\HP\hpcoretech\bak\hpcmpmgr.exe"
"C:\Program Files\HP\hpcoretech\bak\data\EvntData-2067881625.xml"
"C:\Program Files\HPQ\Default Settings\bak\cpqset.exe"
"C:\Program Files\IBM\Client Access\bak\cwbckver.exe"
"C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe"
"C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe"
"C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe"
"C:\Program Files\InterVideo\DVD Check\bak\DVDCheck.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcagent.exe"
"C:\Program Files\McAfee.com\Agent\bak\mcupdate.exe"
"C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak\DrgToDsc.exe"
"C:\Program Files\Symantec AntiVirus\bak\VPTray.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPEnh.exe"
"C:\Program Files\Synaptics\SynTP\bak\SynTPLpr.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folderWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
0
sorry to keep saying thanks but really..thanks for the help...
Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfullyThe current date is: Wed 10/24/2007
The current time is: 23:14:16.89
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\SYMANT~1\BAK05/26/2006 09:01 PM 124,656 VPTray.exe
1 File(s) 124,656 bytesDirectory of C:\WINDOWS\SYSTEM32\BAK
12/21/2004 11:11 AM 126,976 hkcmd.exe
12/21/2004 11:16 AM 155,648 igfxtray.exe
2 File(s) 282,624 bytesDirectory of C:\PROGRA~1\ANALOG~1\SOUNDMAX\BAK
09/23/2004 12:41 PM 860,160 Smax4.exe
10/14/2004 09:11 AM 1,388,544 SMax4PNP.exe
2 File(s) 2,248,704 bytesDirectory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK
03/07/2006 01:02 PM 53,408 ccApp.exe
1 File(s) 53,408 bytesDirectory of C:\PROGRA~1\FUNKSO~1\PROXYH~1\BAK
02/17/2004 04:50 PM 230,544 phtray.exe
1 File(s) 230,544 bytesDirectory of C:\PROGRA~1\HP\HPCORE~1\BAK
06/26/2003 07:50 PM 212,992 hpcmpmgr.exe
1 File(s) 212,992 bytesDirectory of C:\PROGRA~1\HP\HPSOFT~1\BAK
02/17/2005 12:11 AM 49,152 HPWuSchd2.exe
1 File(s) 49,152 bytesDirectory of C:\PROGRA~1\HPQ\DEFAUL~1\BAK
09/07/2004 04:28 PM 213,054 cpqset.exe
1 File(s) 213,054 bytesDirectory of C:\PROGRA~1\IBM\CLIENT~1\BAK
05/07/2002 05:20 AM 45,056 cwbckver.exe
05/07/2002 05:20 AM 24,626 cwbinhlp.exe
05/07/2002 05:20 AM 20,530 cwbsvstr.exe
05/07/2002 05:20 AM 20,530 cwbwlwiz.exe
4 File(s) 110,742 bytesDirectory of C:\PROGRA~1\INTERV~1\DVDCHE~1\BAK
12/08/2004 06:44 PM 184,320 DVDCheck.exe
1 File(s) 184,320 bytesDirectory of C:\PROGRA~1\MCAFEE.COM\AGENT\BAK
09/22/2005 06:29 PM 303,104 mcagent.exe
01/11/2006 12:05 PM 212,992 mcupdate.exe
2 File(s) 516,096 bytesDirectory of C:\PROGRA~1\SYNAPT~1\SYNTP\BAK
11/04/2004 06:38 PM 688,218 SynTPEnh.exe
11/04/2004 06:40 PM 98,394 SynTPLpr.exe
2 File(s) 786,612 bytesDirectory of C:\PROGRA~1\ADOBE\READER~1.0\READER\BAK
05/11/2007 03:06 AM 40,048 Reader_sl.exe
1 File(s) 40,048 bytesDirectory of C:\PROGRA~1\ROXIO\EASYME~1\DRAGTO~1\BAK
09/25/2004 02:37 AM 1,691,648 DrgToDsc.exe
1 File(s) 1,691,648 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
0
Option 3:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak foldersA text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:
C:\Program Files\Adobe\Reader 8.0\Reader\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Analog Devices\SoundMAX\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Funk Software\Proxy Host\bak
C:\Program Files\HP\HP Software Update\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HP\hpcoretech\bak
C:\Program Files\HPQ\Default Settings\bak
C:\Program Files\IBM\Client Access\bak
C:\Program Files\IBM\Client Access\bak
C:\Program Files\IBM\Client Access\bak
C:\Program Files\IBM\Client Access\bak
C:\Program Files\InterVideo\DVD Check\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\McAfee.com\Agent\bak
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\bak
C:\Program Files\Symantec AntiVirus\bak
C:\Program Files\Synaptics\SynTP\bak
C:\Program Files\Synaptics\SynTP\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak foldersWhen done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Next Option 4.
Option 4:
Double-click the FindAWF icon once againIf a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zonesThis removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXITNext,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
0
so far so good...here's the log from step 3, step 4 completed successfully and the registry fix completed successfully...
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfullyThe current date is: Wed 10/24/2007
The current time is: 23:43:17.62
bak folders found
~~~~~~~~~~~
Directory of C:\PROGRA~1\HP\HPCORE~1\BAK0 File(s) 0 bytes
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~end of report
0
Post a new Combofix and Hijack This log please.
Download the latest version of http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
. Then from your desktop double-click on jre-1_6_3-windowsi586-p.exe to install the newest version.
You should add "Spywareblaster" to your arsenol of antispyware tools, just do a google search for spywareblaster, download it,install it, and update it. Its free and runs in the background, so you don't actually run it, and re-writes malicious script before it can install on your computer. Look for updates weekly as there is no auto-update on the free version.
0
thank you so much! here is the combofix log and the hijack this log. I'll work on the Java fix after I send this so I'll be off-line for a little.
ComboFix 07-10-23.1 - onyxtech 2007-10-25 0:19:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.128 [GMT -4:00]
Running from: C:\Documents and Settings\onyxtech\Desktop\ComboFix.exe
.((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.2007-10-24 23:14 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-10-24 23:14 126,976 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-10-24 13:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-24 12:47 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 14:09 <DIR> d-------- C:\Program Files\XoftSpySE
2007-10-22 16:50 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-22 16:50 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-22 16:46 <DIR> d-------- C:\SAVINST
2007-10-03 12:33 <DIR> d-------- C:\Program Files\Webroot
2007-10-03 12:33 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-03 12:33 <DIR> d-------- C:\Documents and Settings\onyxtech\Application Data\Webroot
2007-10-03 12:32 72,008 --a------ C:\WINDOWS\Unwash6.exe.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-25 03:43 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-25 03:43 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-22 20:50 --------- d-----w C:\Program Files\Symantec
2007-09-07 22:03 --------- d-----w C:\Program Files\McAfee
2007-09-07 22:00 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-07 21:59 --------- d-----w C:\Program Files\McAfee.com
1998-12-09 01:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 01:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 01:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 01:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 01:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 01:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.((((((((((((((((((((((((((((( snapshot@2007-10-24_13.23.33.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-21 01:17:30 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-25 00:30:34 53,166 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-08-21 01:17:30 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-25 00:30:34 380,918 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-25 00:29:52 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a38.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 15:01 C:\WINDOWS\AGRSMMSG.exe]
"ZENRC Tray Icon"="zentray.exe" [2001-06-15 08:21 C:\WINDOWS\system32\zentray.exe]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 05:37 C:\WINDOWS\system32\nwtray.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 13:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-05-26 21:01][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2007-09-05 15:46][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"=1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableLockWorkstation"=1 (0x1)
"DisableChangePassword"=1 (0x1)[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisallowCpl"=1 (0x1)
"NoLogoff"=0 (0x0)[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwv1_0R0 NICM;Novell InterService Communication Driver;C:\WINDOWS\System32\drivers\nicm.sys
R0 NwFilter;Novell UNC Path Filter;C:\WINDOWS\System32\NetWare\NwFilter.sys
R1 DVDVRRdr_xp;DVDVRRdr_xp;C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys
R1 UDFReadr;UDFReadr;C:\WINDOWS\System32\drivers\UDFReadr.sys
R2 BlankScreen;HBDevice;C:\WINDOWS\System32\drivers\BlankScreen.sys
R2 Kblock;Kblock;C:\WINDOWS\System32\drivers\Kblock.sys
R2 KBSTUFF;KBSTUFF;C:\WINDOWS\System32\drivers\KBSTUFF.sys
R2 LogWatch;Event Log Watch;C:\WINDOWS\LogWatNT.exe
R2 Mouslock;Mouslock;C:\WINDOWS\System32\drivers\Mouslock.sys
R2 neoNcSvc;Virtual Com Port Service;C:\WINDOWS\System32\ncsvc.exe
R2 NetwareWorkstation;Novell Client for Windows;C:\WINDOWS\System32\NetWare\nwfs.sys
R2 NWDHCP;Novell DHCP Inform Client;C:\WINDOWS\System32\NetWare\nwdhcp.sys
R2 NWSIPX32;Novell NetWare IPX/SPX Transport Interface;C:\WINDOWS\System32\NetWare\nwsipx32.sys
R2 RESMGR;Novell NetWare Resource Manager;C:\WINDOWS\System32\NetWare\resmgr.sys
R2 SRVLOC;Novell Service Location;C:\WINDOWS\System32\NetWare\srvloc.sys
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\System32\DRIVERS\gtipci21.sys
R3 ncvcp;Network Connect Virtual Com Port;C:\WINDOWS\System32\DRIVERS\nsvcp.sys
R3 NWDNS;Novell DNS Name Space Service Provider;C:\WINDOWS\System32\NetWare\nwdns.sys
R3 NWHOST;Novell Host File Name Space Service Provider;C:\WINDOWS\System32\NetWare\NWHOST.sys
R3 NWSAP;Novell SAP Name Space Provider;C:\WINDOWS\System32\NetWare\NWSAP.sys
R3 NWSLP;Novell SLP Name Space Service Provider;C:\WINDOWS\System32\NetWare\nwslp.sys
R3 NWSNS;Novell Simple Naming Services;C:\WINDOWS\System32\NetWare\NWSNS.sys
S2 cusrvc;Client Update Service for Novell;C:\WINDOWS\System32\cusrvc.exe*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 17:57:08 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#hp psc 2400 series#1139424837.job"
"2007-09-07 22:00:23 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-09-07 22:00:22 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 00:20:27
Windows 5.1.2600 Service Pack 1 NTFSscanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0**************************************************************************
.
Completion time: 2007-10-25 0:21:01
C:\ComboFix2.txt ... 2007-10-24 22:32
C:\ComboFix3.txt ... 2007-10-24 13:24
.
--- E O F ---Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:58 AM, on 10/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: NormalRunning processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\LogWatNT.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\NALNTSRV.exe
C:\WINDOWS\System32\ncsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\NWTRAY.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\wm.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\NOVELL\ZENRC\wuser32.exe
c:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\NOVELL\ZENRC\WUOLService.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] zentray.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.exe
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://remoteaccess.veoliaes.com/dana-cached/setup/NeoterisSetup.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = esgrna1-asdb1.onyxna.net
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\System32\cusrvc.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: Event Log Watch (LogWatch) - Unknown owner - C:\WINDOWS\LogWatNT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\WINDOWS\System32\NALNTSRV.exe
O23 - Service: Virtual Com Port Service (neoNcSvc) - Unknown owner - C:\WINDOWS\System32\ncsvc.exe
O23 - Service: Remote management (Novell WUser Agent) - Novell, Inc. - C:\NOVELL\ZENRC\wuser32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Novell Workstation Manager (WM) - Novell, Inc. - C:\WINDOWS\System32\wm.exe
O23 - Service: WUOLservice (WUOLService) - Novell, Inc. - C:\NOVELL\ZENRC\WUOLService.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe--
End of file - 7941 bytes
0
I see you have two antivirus programs running, that is not a good idea as they will conflict. You should decide which one you want to keep and unistall the other.
Glad we could help.
0
I have a few questions.
I couldn't find any Java entries in the Add/Remove Programs? Should I install the Java download anyway?
The icons for both Symantec and MacAfee are gone from my system tray? Actually, the Symantec runs the virus protection and the MacAfee only has the firewall installed (Symantec doesn't have the firewall). Should I re-install them?
0
hay. just used spsweeper and got five red flags before ridding. two removals better than one. Just dis that two advice for dis.
hau
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
