trojan.zonebac attached to critical

Computing.Net > Forums > Security and Virus > trojan.zonebac attached to critical

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

trojan.zonebac attached to critical

Name: groovelang
Date: October 21, 2007 at 13:13:34 Pacific
OS: win xp 2002 sp2
CPU/Ram: pentium4 2.66GHZ/512MB RA
Product: dell 4600c

Comment:

thought i had this fixed but my computer will occasionally crash and norton antivirus will keep trying to install although it is already on the system.
isl

Sponsored Link

Ads by Google

Response Number 1

Name: jabuck
Date: October 21, 2007 at 13:49:27 Pacific

Reply:

Please download and install the latest version of HijackThis v2.0.2:
Download the HijackThis Installer from this link: HijackThis
1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
Please download FindAWL from this link FindAWF
Double-click on the FindAWF.exe file to run it. It will open a command prompt and ask you to "Press any key to continue". You will be presented with a Menu.
1. Press 1 then Enter to scan for bak folders
2. Press 2 then Enter to restore files from bak folders
3. Press 3 then Enter to remove bak folders
4. Press 4 then Enter to reset domain zones
5. Press E then Enter to EXIT
Press 1 then press Enter. Copy and paste the contents of the AWF.txt file in your next reply.

Response Number 2

Name: groovelang
Date: October 21, 2007 at 15:39:36 Pacific

Reply:

Logfile of HijackThis v1.99.1
Scan saved at 4:34:08 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\LVCOMSX.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec_Client_Security\Symantec
AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ISL\LOCALS~1\Temp\Rar$EX00.750\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet
Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search
Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local
Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local
Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window
Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
- (no file)
O2 - BHO: Adobe PDF Reader Link Helper -
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F}
- C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class -
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
- (no file)
O3 - Toolbar: (no name) -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware
Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [PCMService] C:\Program Files\Dell\Media
Experience\PCMService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray]
C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers]
C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program
Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program
Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] C:\Program
Files\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Program
Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program
Files\Logitech\Video\ManifestEngine.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat
7.0\Reader\AdobeUpdateManager.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk =
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program
Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) -
{85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online
Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} -
%windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research -
{92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime
Object) -
http://a1540.g.akamai.net/7/1540/52...
apple.com/qtactivex/qtplugin.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83}
(AxProdInfoCtl Class) -
http://www.symantec.com/techsupp/ac...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}
(BDSCANONLINE Control) -
http://download.bitdefender.com/res...
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7}
(PhotoPickConvert Class) -
http://appdirectory.messenger.msn.c...
otoSwap/PhtPkMSN.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage
Class) - http://www.skibanff.com/skicam/Axis...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09}
(Get_ActiveX Control) -
https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadMa
nager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
(MsnMessengerSetupDownloadControl Class) -
http://messenger.msn.com/download/M...
r.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX
Control) -
http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX
Control) -
http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex
Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave
Flash Object) -
http://fpdownload2.macromedia.com/g...
wflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools
WebPlayer Class) -
http://a532.g.akamai.net/f/532/6712...
mai.com/6712/player/install/installer.exe
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum
Streaming IE Player Class) -
http://mvnet.xlontech.net/qm/fox/06...
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978}
(IWinAmpActiveX Class) -
http://cdn.digitalcity.com/_media/d...
O18 - Protocol: livecall -
{828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim -
{828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui -
C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon -
C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon -
C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj -
{AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems
Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation -
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -
Macrovision Corporation - C:\Program Files\Common
Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark
International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus
Server) - Symantec Corporation -
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP -
C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) -
PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) -
PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program
Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Sygate Personal Firewall (svc) - Unknown
owner - C:\WINDOWS\System32\rundll.exe" -netsvcs (file
missing)
O23 - Service: TabletService - Wacom Technology, Corp. -
C:\WINDOWS\system32\Tablet.exe

Find AWF report by noahdfear ©2006
Version 1.40
The current date is: Sun 10/21/2007
The current time is: 16:35:16.25

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK
12/10/2006 04:13 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\WINDOW~4\BAK
11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 01:56 AM 15,360 ctfmon.exe
09/20/2005 09:32 AM 77,824 hkcmd.exe
09/20/2005 09:36 AM 114,688 igfxpers.exe
09/20/2005 09:35 AM 94,208 igfxtray.exe
07/19/2005 05:32 PM 221,184 LVCOMSX.exe
5 File(s) 523,264 bytes
Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK
08/26/2003 09:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes
Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK
06/08/2005 03:24 PM 458,752 ISStart.exe
06/08/2005 03:14 PM 217,088 LogiTray.exe
06/08/2005 02:44 PM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes
Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK
03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
07/08/2006 08:21 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
282624 Dec 10 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\DELL\Drivers\R60084\Graphics\Win2000\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\hkcmd.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 7 2003 "C:\DELL\Drivers\R60084\Graphics\Win2000\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxtray.exe"
221184 Jul 19 2005 "C:\WINDOWS\system32\LVCOMSX.exe"
221184 Jul 19 2005 "C:\WINDOWS\system32\bak\LVCOMSX.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
458752 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
217088 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
196608 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
970752 Mar 16 2005 "C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
180269 Jul 8 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jul 8 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

end of report

Response Number 3

Name: jabuck
Date: October 21, 2007 at 17:06:35 Pacific

Reply:

Go to start> run> typre in notepad> ok> format. uncheck "word wrap"> exit notepad.
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 2 then Enter to restore files from bak folders
A text file opens called: files.txt
Click below the line and paste the following list of files to be restored:

"C:\Program Files\QuickTime\bak\qttask.exe"
"C:\Program Files\Windows Defender\bak\MSASCui.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\hkcmd.exe"
"C:\WINDOWS\system32\bak\igfxpers.exe"
"C:\WINDOWS\system32\bak\igfxtray.exe"
"C:\WINDOWS\system32\bak\LVCOMSX.exe"
"C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
"C:\Program Files\Logitech\Video\bak\ISStart.exe"
"C:\Program Files\Logitech\Video\bak\LogiTray.exe"
"C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
"C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
"C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
"C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

Next, close and click Yes to save the changes.
Once files.txt is saved, FindAWF does the following:
-It attempts to terminate the process represented by each filename on the list, if running
-Deletes the rogue file from the parent folder, if present
-Copies the original file to the parent folder
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.
Post a new Hijack This log please.

Response Number 4

Name: groovelang
Date: October 21, 2007 at 17:34:10 Pacific

Reply:

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully
The current date is: Sun 10/21/2007
The current time is: 18:28:59.62

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\QUICKT~1\BAK
12/10/2006 04:13 PM 282,624 qttask.exe
1 File(s) 282,624 bytes
Directory of C:\PROGRA~1\WINDOW~4\BAK
11/03/2006 07:20 PM 866,584 MSASCui.exe
1 File(s) 866,584 bytes
Directory of C:\WINDOWS\SYSTEM32\BAK
08/04/2004 01:56 AM 15,360 ctfmon.exe
09/20/2005 09:32 AM 77,824 hkcmd.exe
09/20/2005 09:36 AM 114,688 igfxpers.exe
09/20/2005 09:35 AM 94,208 igfxtray.exe
07/19/2005 05:32 PM 221,184 LVCOMSX.exe
5 File(s) 523,264 bytes
Directory of C:\PROGRA~1\DELL\MEDIAE~1\BAK
08/26/2003 09:47 PM 204,800 PCMService.exe
1 File(s) 204,800 bytes
Directory of C:\PROGRA~1\LOGITECH\VIDEO\BAK
06/08/2005 03:24 PM 458,752 ISStart.exe
06/08/2005 03:14 PM 217,088 LogiTray.exe
06/08/2005 02:44 PM 196,608 ManifestEngine.exe
3 File(s) 872,448 bytes
Directory of C:\PROGRA~1\ADOBE\ACROBA~2.0\READER\BAK
03/30/2006 04:45 PM 313,472 AdobeUpdateManager.exe
1 File(s) 313,472 bytes
Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK
07/08/2006 08:21 PM 180,269 realsched.exe
1 File(s) 180,269 bytes
Directory of C:\PROGRA~1\JAVA\JRE16~1.0_0\BIN\BAK
07/12/2007 04:00 AM 132,496 jusched.exe
1 File(s) 132,496 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
282624 Dec 10 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Dec 10 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\MSASCui.exe"
866584 Nov 3 2006 "C:\Program Files\Windows Defender\bak\MSASCui.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\hkcmd.exe"
77824 Sep 20 2005 "C:\WINDOWS\system32\bak\hkcmd.exe"
114688 Apr 7 2003 "C:\DELL\Drivers\R60084\Graphics\Win2000\hkcmd.exe"
114688 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\hkcmd.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\igfxpers.exe"
114688 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxpers.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\igfxtray.exe"
94208 Sep 20 2005 "C:\WINDOWS\system32\bak\igfxtray.exe"
155648 Apr 7 2003 "C:\DELL\Drivers\R60084\Graphics\Win2000\igfxtray.exe"
155648 Apr 7 2003 "C:\WINDOWS\system32\ReinstallBackups\0016\DriverFiles\igfxtray.exe"
221184 Jul 19 2005 "C:\WINDOWS\system32\LVCOMSX.exe"
221184 Jul 19 2005 "C:\WINDOWS\system32\bak\LVCOMSX.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\PCMService.exe"
204800 Aug 26 2003 "C:\Program Files\Dell\Media Experience\bak\PCMService.exe"
458752 Jun 8 2005 "C:\Program Files\Logitech\Video\ISStart.exe"
458752 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\ISStart.exe"
217088 Jun 8 2005 "C:\Program Files\Logitech\Video\LogiTray.exe"
217088 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\LogiTray.exe"
196608 Jun 8 2005 "C:\Program Files\Logitech\Video\ManifestEngine.exe"
196608 Jun 8 2005 "C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe"
970752 Mar 16 2005 "C:\Program Files\Common Files\Adobe\Updater\AdobeUpdater.exe"
313472 Mar 30 2006 "C:\Program Files\Adobe\Acrobat 7.0\Reader\bak\AdobeUpdateManager.exe"
180269 Jul 8 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Jul 8 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
32881 Sep 28 2004 "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe"
36975 Mar 4 2005 "C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe"
49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
36975 Jun 3 2005 "C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe"
75520 Dec 15 2006 "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
49263 Jul 26 2006 "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
132496 Jul 12 2007 "C:\Program Files\Java\jre1.6.0_02\bin\bak\jusched.exe"

end of report

Logfile of HijackThis v1.99.1
Scan saved at 6:33:43 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ISL\LOCALS~1\Temp\Rar$EX00.875\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program Files\Logitech\Video\ManifestEngine.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/ac...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.c...
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.skibanff.com/skicam/Axis...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06...
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/d...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Sygate Personal Firewall (svc) - Unknown owner - C:\WINDOWS\System32\rundll.exe" -netsvcs (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

Response Number 5

Name: jabuck
Date: October 21, 2007 at 18:28:51 Pacific

Reply:

Temporarily disable any of the following anti-spyware realtime protection programs that you may have Disable Realtime Protection or the fixes will not work. Be sure to turn yout anti-spyware programs back on once the computer is clean.
Option 3:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 3 then Enter to remove bak folders
A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\PROGRA~1\WINDOW~4\BAK
C:\Program Files\QuickTime\bak
C:\Program Files\Windows Defender\bak
C:\WINDOWS\system32\bak
C:\WINDOWS\system32\bak
C:\Program Files\Dell\Media Experience\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Adobe\Acrobat 7.0\Reader\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Java\jre1.6.0_02\bin\bak

Next, close and click Yes to save the changes.
Once folders.txt is saved, FindAWF does the following:
-It deletes the contents of the bak folders
-Removes the bak folders
When done with the above, it automatically runs a new scan and opens a new log.
Please provide the new FindAWF log in your reply.

Next Option 4.

Option 4:
Double-click the FindAWF icon once again
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 4 then Enter to reset domain zones
This removes all entries from the domain zones.
When the program returns to the main menu, use the following option:
Press E then Enter to EXIT
Next,
Launch Notepad, and copy/paste all the blue instructions below to it.
Save in: Desktop
File Name: fixme.reg
Save as Type: All files
Click: Save
REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges]
Then, disconnect from the Internet!
Next,
Back on the Desktop, double-click on the fixme.reg file you just saved and click on Yes when asked to merge the information.
Optional if the following programs are in your computer.
Note that since the Domains are deleted SpywareBlaster protection must be re-enabled. Spybot's Immunize feature must be used again, also you have to re-install IE-SpyAd if installed.
Delete the fixme.reg file just created.
Run Hijack This, close all windows amd browsers except Hijack This, place a check to the left of the following items and press "fix checked":
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O20 - Winlogon Notify: App Management - C:\WINDOWS\
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\
Exit Hijack This.
Post a new hijack This log.
Please download ComboFix to the desktop from this link:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)
Please post the log it produces.

AdobeUpdater zonemap combo fix	lexpps.bak explain dumprep 0 k will removing a trojan horse remove the file it has attached to?
See More

Response Number 6

Name: groovelang
Date: October 21, 2007 at 19:09:02 Pacific

Reply:

FIND AWF LOG
Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully
The current date is: Sun 10/21/2007
The current time is: 19:41:59.65

bak folders found
~~~~~~~~~~~
Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~
end of report
HIJACKTHIS LOG
Logfile of HijackThis v1.99.1
Scan saved at 7:54:23 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\ISL\LOCALS~1\Temp\Rar$EX00.891\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] C:\Program Files\Logitech\Video\ManifestEngine.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Desktop Manager.lnk = C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/ac...
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.c...
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.skibanff.com/skicam/Axis...
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/M...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/n...
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...
O16 - DPF: {E473A65C-8087-49A3-AFFD-C5BC4A10669B} (Quantum Streaming IE Player Class) - http://mvnet.xlontech.net/qm/fox/06...
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/d...
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
O23 - Service: Sygate Personal Firewall (svc) - Unknown owner - C:\WINDOWS\System32\rundll.exe" -netsvcs (file missing)
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
COMBO FIX LOG
ComboFix 07-10-20.6 - ISL 2007-10-21 19:57:44.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.255 [GMT -6:00]
Running from: C:\Documents and Settings\ISL\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1192425376.old
C:\Program Files\WinBudget\bin\matrix.dat
C:\Program Files\WinBudget\bin\matrix.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\timessquare1.dat
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_FAD

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.
2007-10-21 19:56 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-20 19:27 221,184 --a------ C:\WINDOWS\system32\LVCOMSX.exe
2007-10-20 19:27 114,688 --a------ C:\WINDOWS\system32\igfxpers.exe
2007-10-20 19:27 94,208 --a------ C:\WINDOWS\system32\igfxtray.exe
2007-10-20 19:27 77,824 --a------ C:\WINDOWS\system32\hkcmd.exe
2007-10-20 18:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-20 08:27 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\Uniblue
2007-10-20 08:27 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\Uniblue
2007-10-20 08:27 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\Uniblue
2007-10-20 08:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-20 08:16 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-20 08:16 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-20 08:16 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-20 08:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-20 08:15 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-20 08:15 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\PC Tools
2007-10-20 08:15 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\PC Tools
2007-10-20 08:15 <DIR> d-------- C:\Documents and Settings\ISL\Application Data\PC Tools
2007-10-20 08:15 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-09 14:17 582,656 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-22 01:41 --------- d-----w C:\Program Files\Windows Defender
2007-10-22 01:41 --------- d-----w C:\Program Files\QuickTime
2007-10-22 01:06 --------- d-----w C:\Program Files\TVUPlayer
2007-10-14 02:15 --------- d-----w C:\Documents and Settings\ISL\Application Data\CoreFTP
2007-10-14 02:15 --------- d-----w C:\Documents and Settings\ISL\Application Data\CoreFTP
2007-10-14 02:15 --------- d-----w C:\Documents and Settings\ISL\Application Data\CoreFTP
2007-10-13 21:30 --------- d-----w C:\Documents and Settings\ISL\Application Data\U3
2007-10-13 21:30 --------- d-----w C:\Documents and Settings\ISL\Application Data\U3
2007-10-13 21:30 --------- d-----w C:\Documents and Settings\ISL\Application Data\U3
2007-09-21 01:24 --------- d-----w C:\Program Files\Photodex Presenter
2007-09-21 01:24 --------- d-----w C:\Documents and Settings\ISL\Application Data\Netscape
2007-09-21 01:24 --------- d-----w C:\Documents and Settings\ISL\Application Data\Netscape
2007-09-21 01:24 --------- d-----w C:\Documents and Settings\ISL\Application Data\Netscape
2007-09-20 00:23 --------- d-----w C:\Program Files\MSN Messenger
2007-09-19 03:40 --------- d-----w C:\Program Files\Java
2007-09-12 04:38 --------- d-----w C:\Program Files\Google
2005-05-20 04:13 3,345,634 ----a-w C:\Documents and Settings\ISL\BitTornado-0.3.7-w32install.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 21:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-08 20:21]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.exe" [2005-07-19 17:32]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2005-06-08 15:24]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2005-06-08 15:14]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-10 16:13]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"LogitechSoftwareUpdate"="C:\Program Files\Logitech\Video\ManifestEngine.exe" [2005-06-08 14:44]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Win32 Secure Updates"=
"Sygate Personal Firewall"=
"RunNarrator"=
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Win32 Secure Updates"=
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
"C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
C:\Program Files\Logitech\Video\ISStart.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
C:\Program Files\Logitech\Video\LogiTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
C:\WINDOWS\system32\LVCOMSX.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
S1 bdftdif;bdftdif;\??\C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys
S2 svc;Sygate Personal Firewall;"C:\WINDOWS\System32\rundll.exe" -netsvcs
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command -

.
Contents of the 'Scheduled Tasks' folder
"2007-10-21 17:30:39 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 20:00:25
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-21 20:02:40 - machine was rebooted
.
--- E O F ---

Response Number 7

Name: jabuck
Date: October 21, 2007 at 19:21:20 Pacific

Reply:

Open notepad (Start Menu > Run > Type notepad and press "ok".
Copy and paste everything into notepad between the x's making regedit4 the top line.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
REGEDIT4
[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"Win32 Secure Updates"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Win32 Secure Updates"=-
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it Fix.reg then save it to your desktop.
Double click Fix.reg (or right click and choose Merge) and it will ask if you want to merge the contents into the registry, choose Yes.
Please download ATF-Cleaner to your desktop from this link
http://www.atribune.org/content/view/19/2/ We will need it later in safe mode
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Run ATF-Cleaner from safe mode.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
How is the computer operating?

Response Number 8

Name: groovelang
Date: October 21, 2007 at 19:39:50 Pacific

Reply:

wow that was a lot of work! seems good the window installer still pops up with the norton antivirus but i am able to start it directly from the program files.

isl

Response Number 9

Name: jabuck
Date: October 21, 2007 at 20:06:28 Pacific

Reply:

Try uninstalling Nortons then reinstall it.
Or uninstall Nortons and install a free antivirus.
I use AVG Free Antivirus. You can get AVG free antivirus Here

Response Number 10

Name: groovelang
Date: October 21, 2007 at 20:10:04 Pacific

Reply:

sounds good thanks again that was more work than i thought it would be.
isl

Sponsored Link

Ads by Google

Older version of Ad aware

virus i think

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: trojan.zonebac attached to critical

Trojan Horse attached to winserv.exe

Summary

www.computing.net/answers/security/trojan-horse-attached-to-winservexe/385.html

need help removing trojan.zonebac

Summary

www.computing.net/answers/security/need-help-removing-trojanzonebac/21760.html

trojan.zonebac won't go away!

Summary

www.computing.net/answers/security/trojanzonebac-wont-go-away/22161.html

From the Geek Dictionary
QQ - A person, usually in a game, who only complains about their problems rather...

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes Today.
Discuss in The Lounge
Poll History

Recent Posts
Can't boot into windows

cannot connect to internet fedora 11

Volume Indicator

Inadequate Send Get connections

Screen size

All Awaiting Reply

Tom's News
New Final Fantasy XIII Trailer is 5 Minutes Long

iPhone Consumes 50% World's Mobile Data Traffic

TV Market to Launch Cross-Platform App Store

Microsoft Working on XBL Help, FAQ System?

Used ATM Machines for Sale on Craigslist

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE