1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

ie problems

Discussion in 'Web & Email' started by aburnzi, Jan 22, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. aburnzi

    aburnzi Banned Thread Starter

    Joined:
    May 20, 2005
    Messages:
    72
    My explorer will not start up without displaying these 2 error messages first. It takes about half an hour for it to show then shortly after it ie opens google. I try to search and then goes to not responding.

    Error 1:

    iexplore.exe - application error

    The application failed to initialize properly (0xc0000142). Click OK to terminate the application..

    Error 2:

    Runtime Error

    Program: C\programefiles\internet explorer\iexplore.exe

    This application has requested to terminate it in an unusual way. Please contact the application support team for information.

    Im currently using firefox to post this thead so i connection is fine any idea on how to fix this please thanks.....
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    That could mean absolutely anything

    first step is see what is obvious in a HJT log

    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Hi Derek,

    Error 1:

    iexplore.exe - application error

    The application failed to initialize properly (0xc0000142). Click OK to terminate the application..
     
  4. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Hi Derek,

    Error 1:

    iexplore.exe - application error

    The application failed to initialize properly (0xc0000142). Click OK to terminate the application..

    --------------------

    I am getting exactly the same error. I have run the "HijackThis" and this is what I got... please help me as soon as you can. I will really appreciate it.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:00:20 PM, on 1/23/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CI_SERV.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\Sim9Sync.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\ifccsc21.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\htpatch.exe
    C:\WINNT\bak\htpatch.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169525412265
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O23 - Service: CI_SERV - Siemens AG - C:\WINNT\System32\CI_SERV.exe
    O23 - Service: SIMATIC NET FMS database loader (Dbfms) - Siemens AG - c:\SIEMENS\SIMATIC.NET\fs5412a2.nt\dbfmsser.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
    O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\system32\Sim9Sync.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    by the looks of it, you might have some virus/worm/trojan activity

    You have no antivirus & that is extremely dangerous

    first step would be install a good working antivirus, do a full deep system scan & see what it finds & fixes

    try the trial version of Kaspersky 6

    select Free trial, Fill in the required email address & click submit

    folow download instructions then install it & run a full system scan and see what it finds
     
  6. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Thanks a lot the antivirus you suggested me detected and eliminated Trojan activity and now I don't get the error message at all ... but IExplore6 still takes a loooong time to open. Am I missing something here?

    Thanks,

    Mirtha
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    lets have a new HJT log
     
  8. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Here are the results. Thanks for your help.

    Mirtha
    --------------------------------
    Logfile of HijackThis v1.99.1
    Scan saved at 7:44:21 PM, on 1/25/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINNT\System32\CI_SERV.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\hidserv.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\Sim9Sync.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\ifccsc21.exe
    C:\WINNT\SOUNDMAN.EXE
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
    C:\WINNT\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [HTpatch] C:\WINNT\htpatch.exe
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINNT\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169525412265
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: klogon - C:\WINNT\system32\klogon.dll
    O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe" -r (file missing)
    O23 - Service: CI_SERV - Siemens AG - C:\WINNT\System32\CI_SERV.exe
    O23 - Service: SIMATIC NET FMS database loader (Dbfms) - Siemens AG - c:\SIEMENS\SIMATIC.NET\fs5412a2.nt\dbfmsser.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
    O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SIMATIC NET Synchronization Service (Sim9Sync) - Siemens AG - C:\WINNT\system32\Sim9Sync.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    1. Please download The Avenger by Swandog46 to your Desktop.
    • Click on Avenger.zip to open the file
    • Extract avenger.exe to your desktop

    2. Copy all the text contained in the quote box below to your Clipboard by highlighting it and pressing (Ctrl+C):


    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


    3. Now, start The Avenger program by clicking on its icon on your desktop.
    • Under "Script file to execute" choose "Input Script Manually".
    • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
    • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
    • Click Done
    • Now click on the Green Light to begin execution of the script
    • Answer "Yes" twice when prompted.
    4. The Avenger will automatically do the following:
    • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    • On reboot, it will briefly open a black command window on your desktop, this is normal.
    • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
    5. Please copy/paste the content of c:\avenger.txt into your reply.

    when it reboots for the second time

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O4 - HKCU\..\Run: [Regscan] C:\WINNT\system32\regscan.exe
    O23 - Service: ifccsc18 - Unknown owner - C:\WINNT\system32\ifccsc18.exe
    O23 - Service: ifccsc21 - Unknown owner - C:\WINNT\system32\ifccsc21.exe


    now Start killbox,

    Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select ALL options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

    then

    I need to see the log this makes

    http://noahdfear.geekstogo.com/FindAWF.exe
     
  10. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Derek,

    This is what the Avenger shows after step 5

    Logfile of The Avenger version 1, by Swandog46
    Running from registry key:
    \Registry\Machine\System\CurrentControlSet\Services\djswafpn

    *******************

    Script file located at: \??\C:\Documents and Settings\cxamwlib.txt
    Script file opened successfully.

    Script file read successfully

    Backups directory opened successfully at C:\Avenger

    *******************

    Beginning to process script file:

    Driver ifccsc18 unloaded successfully.
    Driver ifccsc21 unloaded successfully.
    File C:\WINNT\system32\regscan.exe deleted successfully.
    File C:\WINNT\system32\ifccsc18.exe deleted successfully.
    File C:\WINNT\system32\ifccsc21.exe deleted successfully.

    Completed script processing.

    *******************

    Finished! Terminate.


    Do I need to download and run the last executable?

    ------------------------------------------
    then

    I need to see the log this makes

    http://noahdfear.geekstogo.com/FindAWF.exe

    ------------------------------------------

    Thanks,

    Mirtha
     
  11. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Yes you need to download & run findawf please

    also please do this

    please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    C:\avenger\backup.zip
     
  12. milucass

    milucass

    Joined:
    Jan 23, 2007
    Messages:
    12
    Derek

    1. I uploaded the file c:\avenger\backup.zip
    2. This is the result of the FindAWF.exe

    -----------------------------------------------------


    Find AWF report by noahdfear ©2006


    21504 byte files found
    ~~~~~~~~~~~~~



    21504 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    25600 byte files found
    ~~~~~~~~~~~~~



    25600 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    26450 byte files found
    ~~~~~~~~~~~~~



    26450 byte files sorted with strings
    ~~~~~~~~~~~~~~~~~~~~~



    bak folders found
    ~~~~~~~~~~~


    Directory of C:\WINNT\BAK

    10/30/2002 03:40a 28,672 htpatch.exe
    1 File(s) 28,672 bytes

    Directory of C:\PROGRA~1\ITUNES\BAK

    09/16/2005 07:43a 274,432 iTunesHelper.exe
    1 File(s) 274,432 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    09/26/2005 07:29p 155,648 qttask.exe
    1 File(s) 155,648 bytes

    Directory of C:\WINNT\SYSTEM32\BAK

    09/09/2002 12:05a 114,688 hkcmd.exe
    09/09/2002 12:18a 155,648 igfxtray.exe
    06/20/2003 06:00a 320,000 regscan.exe
    05/09/2002 03:19a 303,104 sistray.EXE
    4 File(s) 893,440 bytes

    Directory of C:\PROGRA~1\ALPHAN~1\ANIWZC~1\BAK

    08/21/2003 03:12p 32,768 WZCSLDR.exe
    1 File(s) 32,768 bytes

    Directory of C:\PROGRA~1\ANALOG~2\SOUNDMAX\BAK

    06/26/2002 05:36p 90,112 Smtray.exe
    1 File(s) 90,112 bytes

    Directory of C:\PROGRA~1\D-LINK\AIRPLU~1\BAK

    11/04/2003 04:00p 2,502,656 AirPlusCFG.exe
    1 File(s) 2,502,656 bytes

    Directory of C:\PROGRA~1\GOOGLE\GOOGLE~1\12908~1.500\BAK

    10/21/2006 04:27p 163,576 GoogleToolbarNotifier.exe
    1 File(s) 163,576 bytes

    Directory of C:\PROGRA~1\JAVA\JRE15~1.0_0\BIN\BAK

    11/10/2005 12:03p 36,975 jusched.exe
    1 File(s) 36,975 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    24588 Jan 22 2007 "C:\WINNT\htpatch.exe"
    28672 Oct 30 2002 "C:\WINNT\bak\htpatch.exe"
    24588 Jan 22 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
    274432 Sep 16 2005 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    24588 Jan 22 2007 "C:\Program Files\QuickTime\qttask.exe"
    155648 Sep 26 2005 "C:\Program Files\QuickTime\bak\qttask.exe"
    24588 Jan 22 2007 "C:\WINNT\system32\hkcmd.exe"
    114688 Sep 9 2002 "C:\WINNT\system32\bak\hkcmd.exe"
    24588 Jan 22 2007 "C:\WINNT\system32\igfxtray.exe"
    155648 Sep 9 2002 "C:\WINNT\system32\bak\igfxtray.exe"
    320000 Jun 20 2003 "C:\WINNT\system32\bak\regscan.exe"
    24588 Jan 22 2007 "C:\WINNT\system32\sistray.EXE"
    303104 May 9 2002 "C:\WINNT\system32\bak\sistray.EXE"
    24588 Jan 22 2007 "C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe"
    32768 Aug 21 2003 "C:\Program Files\Alpha Networks\ANIWZCS Service\bak\WZCSLDR.exe"
    24588 Jan 22 2007 "C:\Program Files\Analog Devices\SoundMAX\Smtray.exe"
    90112 Jun 26 2002 "C:\Program Files\Analog Devices\SoundMAX\bak\Smtray.exe"
    24588 Jan 22 2007 "C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe"
    2502656 Nov 4 2003 "C:\Program Files\D-Link\AirPlus Xtreme G\bak\AirPlusCFG.exe"
    24588 Jan 22 2007 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe"
    163576 Oct 21 2006 "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe"
    24588 Jan 22 2007 "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
    36975 Nov 10 2005 "C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe"


    end of report
     
  13. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    Ok you do have a awf downloader problem
    I will post back with a fix shortly
     
  14. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    first uninstall all old versions of sun java, download the new one BUT do not install the new one until we have fixed the problem

    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
    Please follow these steps to remove older version Java components and update.

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.


    Then downloadd the attached bakfix.zip & save it to desktop unzip it &

    double click the backfix.bat & it will delete the dodgy files & replace them with the backups

    once that has been done install the new Sun Java then

    Click here to download Dr.Web CureIt and save it to your desktop.
    • Doubleclick the drweb-cureit.exe file and allow to run the express scan
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, mark the drives that you want to scan.
    • Select all drives. A red dot shows which drives have been chosen.
    • Click the green arrow at the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, look if you can click next icon next to the files found:
      [​IMG]
    • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
      [​IMG]
    • This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
    • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
    • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
     

    Attached Files:

  15. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,236
    First Name:
    Derek
    I don't seem to have got the upload at spykiller can you try again please
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/537360

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice