Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Look At This Hijackthis Log And Helpppp...


  • Please log in to reply
6 replies to this topic

#1 tropikana

tropikana

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 07 January 2007 - 05:37 PM

Recently, my computer has been acting up. I was curious and I looked into my task manager to see about 7 IEXPLORE.EXE open each with about 10,000 - 15,000 mem usage. I restarted my computer and found out that on startup, this is what happens. I haven't been using Internet Explorer since late October 2006 and have been a Firefox user since.

Also, my computer intends to restart itself out of nowhere!

I have used AVG, Spybot S&B and Ad-Aware in both "normal" and "safe mode". Though they detected many errors, none of them have yet to help me correct this one. I also ran a virus scan and got a clean report.

I know you guys are going to request a log so here it is. Any form of help is REALLY appreciated!

Logfile of HijackThis v1.99.1
Scan saved at 5:24:52 PM, on 1/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Erika\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = remote.brooklyn.cuny.edu:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/brooklyn/suppor...s/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 tropikana

tropikana
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 07 January 2007 - 05:48 PM

CORRECTION:

I restarted my computer and I did HiJackThis. Here's how the log looks when I first log on to my computer.

Logfile of HijackThis v1.99.1
Scan saved at 5:44:59 PM, on 1/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Updreg.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\QuickTime\qttask.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Documents and Settings\Erika\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = remote.brooklyn.cuny.edu:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/brooklyn/suppor...s/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O20 - AppInit_DLLs:
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#3 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 07 January 2007 - 06:28 PM

Add remove programs – remove Viewpoint

You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe

O20 - AppInit_DLLs:

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\System32\regscan.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot


1 Download this file :

http://download.bleepingcomputer.com/sUBs/...aB/combofix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:
Do not mouseclick combofix's window while its running. That may cause it to stall
======================

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post a new HiJackThis log along with the results from ActiveScan



Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#4 tropikana

tropikana
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 January 2007 - 12:24 PM

Okay, I removed Viewpoint.

Here is the combofix log:

ComboFix 07-01-08W-BetaE2 - Running from: "C:\Documents and Settings\Erika\Desktop\killbox\combofix"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\1160407170.exe"
C:\WINDOWS\system32\1164201193.exe"


((((((((((((((((((((((((((((((( Files Created from 2006-12-07 to 2007-01-07 ))))))))))))))))))))))))))))))))))


2007-01-07 19:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-01-07 19:00 <DIR> d-------- C:\!KillBox
2007-01-07 16:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Lavasoft
2007-01-07 16:40 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Talkback
2007-01-07 16:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-01-07 16:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Application Data\Symantec
2007-01-07 16:30 <DIR> d-------- C:\WINDOWS\pss
2007-01-07 16:29 <DIR> d-------- C:\autoo
2007-01-07 01:52 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-01-07 01:52 <DIR> d-------- C:\Program Files\Grisoft
2007-01-07 01:35 <DIR> d-------- C:\Program Files\Uniblue
2007-01-07 01:35 <DIR> d-------- C:\DOCUME~1\Erika\Application Data\Uniblue
2007-01-06 22:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-06 22:37 <DIR> d-------- C:\DOCUME~1\Erika\Application Data\Lavasoft
2007-01-02 17:51 5,632 --a------ C:\WINDOWS\SYSTEM32\ptpusb.dll
2007-01-02 17:51 146,944 --a------ C:\WINDOWS\SYSTEM32\ptpusd.dll
2007-01-02 17:51 13,824 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\usbscan.sys
2006-12-30 17:06 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2006-12-30 17:05 <DIR> d-------- C:\Program Files\AIM6
2006-12-29 13:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\bak
2006-12-28 20:14 <DIR> d-------- C:\WINDOWS\bak
2006-12-28 18:11 <DIR> d-------- C:\DOCUME~1\Guest\Application Data\Apple Computer
2006-12-17 11:55 <DIR> d-------- C:\DOCUME~1\Erika\Application Data\COWON
2006-12-16 21:08 <DIR> dr-h----- C:\DOCUME~1\Joy\Application Data\yahoo!
2006-12-16 20:54 <DIR> d-------- C:\Program Files\iTunes
2006-12-16 20:54 <DIR> d-------- C:\Program Files\iPod
2006-12-16 20:52 <DIR> d-------- C:\Program Files\QuickTime
2006-12-16 20:45 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-14 12:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\AOL OCP
2006-12-11 16:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Spybot - Search & Destroy


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-07 20:22 -------- d-------- C:\Program Files\mozilla firefox
2007-01-07 20:05 -------- d-------- C:\Program Files\norton antivirus
2007-01-07 17:17 -------- d-------- C:\Program Files\yahoo!
2006-12-30 20:10 -------- d-------- C:\Program Files\Common Files\aol
2006-12-29 13:52 -------- d-------- C:\Program Files\microsoft works
2006-12-29 13:52 -------- d-------- C:\Program Files\messenger
2006-12-26 16:42 -------- d-------- C:\DOCUME~1\Erika\Application Data\adobe
2006-12-18 11:42 -------- d--h----- C:\Program Files\installshield installation information
2006-12-18 11:41 -------- d-------- C:\DOCUME~1\Erika\Application Data\dev-cpp
2006-12-14 22:41 -------- d-------- C:\DOCUME~1\Erika\Application Data\limewire
2006-12-11 16:41 -------- d-------- C:\Program Files\creative
2006-12-02 17:00 -------- dr-h----- C:\DOCUME~1\Erika\Application Data\yahoo!
2006-11-30 23:30 -------- d-------- C:\DOCUME~1\Erika\Application Data\macromedia


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Microsoft Works Update Detection"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize"
"DellTouch"="C:\\WINDOWS\\DELLMMKB.EXE"
"NAV Agent"="C:\\PROGRA~1\\NORTON~1\\navapw32.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{367BDF4B-04E5-46C9-9D83-D68307F659E3}"="NSIS Media Extension"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\ISP signup reminder 1.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 07-01-07 20:29:01

=======================================================


Here is the activescan log:



Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Doreen\Application Data\Mozilla\Firefox\Profiles\cuiu1t6m.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Doreen\Application Data\Mozilla\Firefox\Profiles\cuiu1t6m.default\cookies.txt[.entrepreneur.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Doreen\Application Data\Mozilla\Firefox\Profiles\cuiu1t6m.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Doreen\Application Data\Mozilla\Firefox\Profiles\cuiu1t6m.default\cookies.txt[.go.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Doreen\Application Data\Mozilla\Firefox\Profiles\cuiu1t6m.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Doreen\Cookies\doreen@azjmp[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Doreen\Cookies\doreen@belnk[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Doreen\Cookies\doreen@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Doreen\Cookies\doreen@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Doreen\Cookies\doreen@go[1].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Erika\Application Data\Mozilla\Firefox\Profiles\4e7m2oie.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Erika\Application Data\Mozilla\Firefox\Profiles\4e7m2oie.default\cookies.txt[.did-it.com/]
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Erika\Application Data\Mozilla\Firefox\Profiles\4e7m2oie.default\cookies.txt[.gostats.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Erika\Application Data\Mozilla\Firefox\Profiles\4e7m2oie.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Humanclick Not disinfected C:\Documents and Settings\Erika\Application Data\Mozilla\Firefox\Profiles\4e7m2oie.default\cookies.txt[hc2.humanclick.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Guest\Application Data\Mozilla\Firefox\Profiles\4dvhu1m3.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Guest\Cookies\guest@belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Joy\Cookies\joy@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Joy\Cookies\joy@azjmp[2].txt
Adware:Adware/SearchExe Not disinfected C:\Program Files\Common Files\AOL\1155412438\ee\AOLSoftware.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\Common Files\Real\Update_OB\realsched.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\Creative\SBLive\Program\AHQInit.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\iTunes\iTunesHelper.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\Messenger\msmsgs.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\Norton AntiVirus\navapw32.exe
Adware:Adware/SearchExe Not disinfected C:\Program Files\QuickTime\qttask.exe
Potentially unwanted tool:Application/Zango Not disinfected C:\WINDOWS\SYSTEM32\1164201193.exe


=================================================================


And finally the hijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:31:57 PM, on 1/7/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Erika\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = remote.brooklyn.cuny.edu:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: Yahoo! Dominoes - http://download2.games.yahoo.com/games/clients/y/dot9_x.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/brooklyn/suppor...s/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#5 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 January 2007 - 01:38 PM

http://noahdfear.geekstogo.com/FindAWF.exe to download FindAWF.exe and save it to your desktop.
· Double-click on the FindAWF.exe file to run it.
· It will open a command prompt and ask you to "Press any key to continue".
· Press any key and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
· It may take a few minutes to complete so be patient.
· When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or whatever location you ran the file from.
· Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#6 tropikana

tropikana
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 January 2007 - 02:16 PM

Here's the AWF file:


Find AWF report by noahdfear ©2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Documents and Settings\Doreen\Application Data\Microsoft\Word\~WRL4062.tmp"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 02:00 AM 90,112 Updreg.exe
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\ITUNES\BAK

10/30/2006 09:36 AM 256,576 iTunesHelper.exe
1 File(s) 256,576 bytes

Directory of C:\PROGRA~1\MESSEN~1\BAK

08/02/2001 08:14 AM 1,077,277 msmsgs.exe
1 File(s) 1,077,277 bytes

Directory of C:\PROGRA~1\MICROS~4\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

08/16/2001 06:52 PM 74,832 navapw32.exe
1 File(s) 74,832 bytes

Directory of C:\PROGRA~1\QUICKT~1\BAK

10/25/2006 06:58 PM 282,624 qttask.exe
1 File(s) 282,624 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

10/24/2006 03:10 PM 4,662,776 YAHOOM~1.EXE
1 File(s) 4,662,776 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

08/08/2006 10:16 AM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\SBLIVE\PROGRAM\BAK

03/28/2001 02:00 AM 102,400 AHQInit.exe
1 File(s) 102,400 bytes

Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

04/13/2005 02:48 AM 36,975 jusched.exe
1 File(s) 36,975 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\115541~1\EE\BAK

05/09/2006 07:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes

Directory of C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\bak\Updreg.exe"
35852 Dec 29 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
102400 Dec 28 2006 "C:\WINDOWS\Installer\{446DBFFA-4088-48E3-8932-74316BA4CAE4}\iTunesIco.exe"
108096 Oct 30 2006 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.0.2.16\iTunesSetupAdmin.exe"
35852 Dec 29 2006 "C:\Program Files\Messenger\msmsgs.exe"
1077277 Aug 2 2001 "C:\Program Files\Messenger\bak\msmsgs.exe"
35852 Dec 29 2006 "C:\Program Files\Norton AntiVirus\navapw32.exe"
74832 Aug 16 2001 "C:\Program Files\Norton AntiVirus\bak\navapw32.exe"
35852 Dec 29 2006 "C:\Program Files\QuickTime\qttask.exe"
282624 Oct 25 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Oct 24 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
35852 Dec 29 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Aug 8 2006 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
35852 Dec 29 2006 "C:\Program Files\Creative\SBLive\Program\AHQInit.exe"
102400 Mar 28 2001 "C:\Program Files\Creative\SBLive\Program\bak\AHQInit.exe"
35852 Dec 29 2006 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe"
50736 Sep 25 2006 "C:\Program Files\AIM6\aolsoftware.exe"
35852 Dec 29 2006 "C:\Program Files\Common Files\AOL\1155412438\ee\AOLSoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1155412438\ee\bak\AOLSoftware.exe"


end of report

#7 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:03:43 AM

Posted 08 January 2007 - 02:34 PM

This is a strange virus in that it copies the good file to a backup and then lays in the bad one

so what you need to do is go to safe mode and then delete the fist file of the pai and the COPY the file in the BAK directory to the proper directory


C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe

C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Messenger\bak\msmsgs.exe

C:\Program Files\Norton AntiVirus\navapw32.exe
C:\Program Files\Norton AntiVirus\bak\navapw32.exe

C:\Program Files\QuickTime\qttask.exe
C:\Program Files\QuickTime\bak\qttask.exe

C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe

C:\Program Files\Creative\SBLive\Program\AHQInit.exe
C:\Program Files\Creative\SBLive\Program\bak\AHQInit.exe

C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_03\bin\bak\jusched.exe

C:\Program Files\Common Files\AOL\1155412438\ee\AOLSoftware.exe
C:\Program Files\Common Files\AOL\1155412438\ee\bak\AOLSoftware.exe"
"Nothing could be finer than to be in South Carolina ............"

Member ASAP




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users