Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92334 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

3 trojans


  • This topic is locked This topic is locked
18 replies to this topic

#1 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 16 February 2007 - 11:33 AM

Help!

Am visiting a relative and his computer is infected. Symantec has repeatedly identified and quarantined te.exe, trofKz.REG, kuz.exe AND ms0311.jar.... There seems to be a generic file name Annnnnnn.

Logfile of HijackThis v1.99.1
Scan saved at 1:05:21 AM, on 2/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\My Downloads\hijackthisuse_files\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zsfyhw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Net Cfg ] service.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\TEMP\private.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Rsar] C:\Documents and Settings\Wong\Application Data\uhss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk846YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Win32 System Spool - Unknown owner - C:\WINDOWS\System32\spoolsvc.exe" -netsvcs (file missing)

Best regards,
catch33

    Advertisements

Register to Remove


#2 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 16 February 2007 - 01:29 PM

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

#3 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 16 February 2007 - 05:03 PM

Random/random, Don't have resources to reformat and re-install OS. Will appreciate your help in cleaning up system without having to buy a brand new one. Best regards, catch33

#4 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 17 February 2007 - 05:01 PM

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\SYSCFG16.EXE
C:\WINDOWS\System32\zsfyhw.exe
C:\WINDOWS\System32\service.exe
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\System32\scvhosting.exe
C:\WINDOWS\System32\servicz.exe
C:\WINDOWS\TEMP\private.exe
C:\Documents and Settings\Wong\Application Data\uhss.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next please visit SpyKillers forum here

http://www.thespykil...x.php?board=1.0

Read the instructions for uploading files which is the first topic on the forum then start a new Topic named 'Files From TomCoyote Forum' , please then post a link to this thread and upload the requested files.cab archive from your desktop

To assist diagnosis I would like a list of installed programs.
  • Open HijackThis and select Open the Misc Tools section
  • Click on the Open Uninstall Managerů
  • Select the Save List button
  • I suggest that you accept the default name of uninstall_list.txt and save the file to your desktop
  • Close HijackThis
Download Gmer to your Desktop and unzip it to your Desktop.
http://www.gmer.net/gmer.zip

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the rootkit tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked and uncheck the Registry box. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Post back with the GMER logs, the uninstall list, a new HijackThis log and a link to the topic at thespykiller where you uploaded the files.

#5 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 17 February 2007 - 06:59 PM

Random/random,

I used "3 trojans" as topic in the Spykiller Forum post. Should I re-post with suggested topic?

Uninstall list:
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Alcatel SpeedTouch USB Software
CDex extraction audio
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
HijackThis 1.99.1
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
LiveUpdate 1.80 (Symantec Corporation)
Microsoft Office XP Professional with FrontPage
Mozilla Firefox (2.0.0.1)
My Web Search (Smiley Central)
OLYMPUS CAMEDIA Master 4.1
Panda ActiveScan
Photo Loader 2.1E
Photohands 1.0E
PowerDVD
PowerQuest PartitionMagic 8.0
ProSavageDDR and Utilities
QuickCam
QuickTime
RealPlayer
S3Display
S3Gamma2
S3Info2
S3Overlay

gmerlog1:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-18 08:19:58
Windows 5.1.2600 Service Pack 1


---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntdll.dll!NtClose 77F758AA 5 Bytes JMP 7203407A
.text ntdll.dll!NtCreateProcess 77F759F4 5 Bytes JMP 72034205
.text ntdll.dll!NtCreateProcessEx 77F75A03 5 Bytes JMP 720340E9
.text ntdll.dll!NtCreateSection 77F75A21 5 Bytes JMP 72034098

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[1600] kernel32.dll!SetUnhandledExceptionFilter 77E7E5A1 9 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe

---- EOF - GMER 1.0.12 ----

gmerlog2:

GMER 1.0.12.12027 - http://www.gmer.net
Autostart scan 2007-02-18 08:22:04
Windows 5.1.2600 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon@DLLName = C:\WINDOWS\System32\NavLogon.dll

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
DefWatch /*DefWatch*/@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
Norton AntiVirus Server /*Symantec AntiVirus Client*/@ = C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
Pctspk /*PCTEL Speaker Phone*/@ = %SystemRoot%\system32\pctspk.exe
ScsiPort@ = %SystemRoot%\system32\drivers\scsiport.sys
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\System32\wdfmgr.exe
Win32 System Spool /*Win32 System Spool*/@ = "C:\WINDOWS\System32\spoolsvc.exe" -netsvcs /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Windows System ConfigurationC:\WINDOWS\SYSCFG16.EXE /*file not found*/ = C:\WINDOWS\SYSCFG16.EXE /*file not found*/
@SpeedTouch USB Diagnostics"C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
@PHIME2002ASyncC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
@PHIME2002AC:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName = C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
@MSPY2002C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC = C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
@IMJPMIG8.1C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 = C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
@Cryptographic ServiceC:\WINDOWS\System32\zsfyhw.exe /*file not found*/ = C:\WINDOWS\System32\zsfyhw.exe /*file not found*/
@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime
@Windows Net Cfg service.exe /*file not found*/ = service.exe /*file not found*/
@Win32 System Spoolspoolsvc.exe /*file not found*/ = spoolsvc.exe /*file not found*/
@starterscvhosting.exe /*file not found*/ = scvhosting.exe /*file not found*/
@PrinterC:\WINDOWS\TEMP\private.exe /*file not found*/ = C:\WINDOWS\TEMP\private.exe /*file not found*/
@Microsoft Update Machineservicz.exe /*file not found*/ = servicz.exe /*file not found*/
@vptrayC:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe = C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
@MyWebSearch Email PluginC:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
@SunJavaUpdateSched"C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe" = "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
@TkBellExe"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
@KernelFaultCheck%systemroot%\system32\dumprep 0 -k = %systemroot%\system32\dumprep 0 -k
@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices >>>
@starterscvhosting.exe /*file not found*/ = scvhosting.exe /*file not found*/
@Microsoft Update Machineservicz.exe /*file not found*/ = servicz.exe /*file not found*/
@Win32 System Spoolspoolsvc.exe /*file not found*/ = spoolsvc.exe /*file not found*/

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@MsnMsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
@starterscvhosting.exe /*file not found*/ = scvhosting.exe /*file not found*/
@WebCamRT.exe /*file not found*/ = /*file not found*/
@RsarC:\Documents and Settings\Wong\Application Data\uhss.exe /*file not found*/ = C:\Documents and Settings\Wong\Application Data\uhss.exe /*file not found*/
@Yahoo! Pager"C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet = "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
@MyWebSearch Email PluginC:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe = C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Outlook Custom Icon Handler*/C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL = C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office10\msohev.dll = C:\Program Files\Microsoft Office\Office10\msohev.dll
@{E0D79304-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79305-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{E0D79306-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0} /*Set Program Access and Defaults*/(null) =
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/C:\WINDOWS\System32\twext.dll /*file not found*/ = C:\WINDOWS\System32\twext.dll /*file not found*/
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/C:\WINDOWS\System32\twext.dll /*file not found*/ = C:\WINDOWS\System32\twext.dll /*file not found*/
@{BDA77241-42F6-11d0-85E2-00AA001FE28C} /*LDVP Shell Extensions*/C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
@{E0D79307-84BE-11CE-9641-444553540000} /*WinZip*/C:\PROGRA~1\WINZIP\WZSHLSTB.DLL = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
@{5464D816-CF16-4784-B9F3-75C0DB52B499} /*Yahoo! Mail*/C:\PROGRA~1\Yahoo!\Common\ymmapi.dll = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
@{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} /*Shell Extensions for RealOne Player*/C:\Program Files\Real\RealPlayer\rpshell.dll = C:\Program Files\Real\RealPlayer\rpshell.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
Yahoo! Mail@{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
LDVPMenu@{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
WinZip@{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{00A6FAF1-072E-44cf-8957-5838F569A31D}C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL = C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
@{07B18EA1-A523-4961-B6BB-170DE4475CCA}C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL = C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll = C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
@{9030D464-4C02-4ABF-8ECC-5164760863C6}C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll = C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar3.dll = c:\program files\google\googletoolbar3.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\PROGRA~1\Webshots\webshots.scr

HKLM\Software\Microsoft\Internet Explorer\Plugins\Extension\.spop@Location = C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft...p...&ar=msnhome
@Start Pagehttp://delspysoft.com = http://delspysoft.com
@Local Pagehttp://delspysoft.com = http://delspysoft.com

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://delspysoft.com = http://delspysoft.com
@Start Pagehttp://www.msn.com/ = http://www.msn.com/
@Local Pagehttp://delspysoft.com = http://delspysoft.com

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
cdo@CLSID = C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
dvd@CLSID = C:\WINDOWS\System32\msvidctl.dll
its@CLSID = C:\WINDOWS\System32\itss.dll
lid@CLSID = C:\WINDOWS\System32\msvidctl.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\System32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\System32\itss.dll
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
tv@CLSID = C:\WINDOWS\System32\msvidctl.dll
vnd.ms.radio@CLSID = C:\WINDOWS\System32\msdxm.ocx

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\System32\wiascr.dll

C:\Documents and Settings\Wong\Start Menu\Programs\Startup >>>
MyWebSearch Email Plugin.lnk = MyWebSearch Email Plugin.lnk
Webshots.lnk = Webshots.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup >>>
Microsoft Office.lnk = Microsoft Office.lnk
MyWebSearch Email Plugin.lnk = MyWebSearch Email Plugin.lnk
Photo Loader supervisory.lnk = Photo Loader supervisory.lnk
Reality Fusion GameCam SE.lnk = Reality Fusion GameCam SE.lnk

---- EOF - GMER 1.0.12 ----

3 trojans in Spykiller:

http://www.thespykil...x.php?board=1.0

Best regards,
catch33

#6 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 17 February 2007 - 07:04 PM

Forgot the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:42 AM, on 2/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\hijackthisuse_files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\SYSCFG16.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\zsfyhw.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Net Cfg ] service.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [starter] scvhosting.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\TEMP\private.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] servicz.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\RunServices: [starter] scvhosting.exe
O4 - HKLM\..\RunServices: [Microsoft Update Machine] servicz.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [starter] scvhosting.exe
O4 - HKCU\..\Run: [Rsar] C:\Documents and Settings\Wong\Application Data\uhss.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk846YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Win32 System Spool - Unknown owner - C:\WINDOWS\System32\spoolsvc.exe" -netsvcs (file missing)

#7 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 18 February 2007 - 04:33 AM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


#8 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 18 February 2007 - 06:36 PM

Random/random, Am having difficulty getting XP Pro to go into Safe Mode. Tried several suggested solutions running MSCONFIG but none gave any indication of being in Safe Mode even though I lost Internet connection. Does SDFIX require access to the Internet? Also, what is "Choose your usual account" at starting Safe Mode? Best regards, catch33

#9 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 18 February 2007 - 08:56 PM

Random/random,

Managed to go into Safe Mode via MSCONFIG>BOOT.INI. Ran SDFIX but it re-booted into Safe Mode with no visible sign that it was continuing with SDFIX. Since I could not go to the Internet in Safe Mode I used MSCONFIG to boot into Normal Mode. When I restarted, SDFIX continued its fixing.

SDFIX report:


SDFix: Version 1.66

Run by Wong - Mon 02/19/2007 @ 10:06:09.76

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Win32 System Spool

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\x.bat - Deleted
C:\WINDOWS\system32\TFTP1012 - Deleted
C:\WINDOWS\system32\TFTP1596 - Deleted
C:\WINDOWS\system32\TFTP176 - Deleted
C:\WINDOWS\system32\TFTP1764 - Deleted
C:\WINDOWS\system32\TFTP372 - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Documents and Settings\Wong\NetHood\whatson on www.3aw.com.au\Desktop.ini
C:\Documents and Settings\Wong\Desktop\kuoi\~WRL2802.tmp

Add/Remove Programs List:

Adobe Acrobat 5.0
CDex extraction audio
USB Storage Driver
Google Desktop
HijackThis 1.99.1
PowerQuest PartitionMagic 8.0
LiveUpdate 1.80 (Symantec Corporation)
Mozilla Firefox (2.0.0.1)
My Web Search (Smiley Central)
ProSavageDDR and Utilities
Panda ActiveScan
QuickTime
RealPlayer
S3Display
S3Gamma2
S3Info2
S3Overlay
Adobe Flash Player 9 ActiveX
Webshots Desktop
Winamp3 (remove only)
Windows Media Format Runtime
Windows Media Player 10
WinZip
Yahoo! Messenger
Yahoo! Toolbar
Symantec AntiVirus Client
USB CASIO Digital Camera Device Driver
Google Toolbar for Internet Explorer
V-Gear TalkCam Pro
OLYMPUS CAMEDIA Master 4.1
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
J2SE Runtime Environment 5.0 Update 10
Google Earth
QuickCam
Windows Live Sign-in Assistant
Photohands 1.0E
Windows Live Messenger
PowerDVD
PartitionMagic
Photo Loader 2.1E
Ad-Aware SE Personal
Microsoft Office XP Professional with FrontPage
SpeedTouch USB
Alcatel SpeedTouch USB Software

Finished


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:27:48 AM, on 2/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\hijackthisuse_files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\2.bin\MWSSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\2.bin\MWSBAR.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\2.bin\MWSOEMON.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZNxmk846YYSG
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

*****

The SDFIX log was after severl missteps...Does it make a difference if it is run under Administrator or user Wong who has administrative rights?

Best regards,
catch33

#10 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 19 February 2007 - 06:45 AM

It looks like SDfix worked, so don't worry about it

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Go to Start> Control Panel> Add or Remove Programs.

Remove the following programs, if they are present.
My Web Search (Smiley Central)
Acrobat reader is outdated, uninstall the one you have installed and install the latest one from here:

http://www.adobe.com.../readstep2.html

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.co...tup1.0.0.15.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} - http://installs.hotb...ams/hbtools.cab

Then close all windows except HijackThis and click Fix Checked

Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.

Post back with the Kaspersky log, a new HijackThis log and let me know how its running now

    Advertisements

Register to Remove


#11 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 19 February 2007 - 02:40 PM

Random/random,

Sorry for the delay. updating JRE turned out to be not as straight forward as I thought.

kav log:

 ■- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

K A S P E R S K Y O N L I N E S C A N N E R R E P O R T

T u e s d a y , F e b r u a r y 2 0 , 2 0 0 7 4 : 1 3 : 3 3 A M

O p e r a t i n g S y s t e m : M i c r o s o f t W i n d o w s X P P r o f e s s i o n a l , S e r v i c e P a c k 1 ( B u i l d 2 6 0 0 )

K a s p e r s k y O n l i n e S c a n n e r v e r s i o n : 5 . 0 . 8 3 . 0

K a s p e r s k y A n t i - V i r u s d a t a b a s e l a s t u p d a t e : 1 9 / 0 2 / 2 0 0 7

K a s p e r s k y A n t i - V i r u s d a t a b a s e r e c o r d s : 2 7 0 2 4 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



S c a n S e t t i n g s :

S c a n u s i n g t h e f o l l o w i n g a n t i v i r u s d a t a b a s e : e x t e n d e d

S c a n A r c h i v e s : t r u e

S c a n M a i l B a s e s : t r u e



S c a n T a r g e t - M y C o m p u t e r :

A : \

C : \

D : \

F : \



S c a n S t a t i s t i c s :

T o t a l n u m b e r o f s c a n n e d o b j e c t s : 5 0 4 6 9

N u m b e r o f v i r u s e s f o u n d : 2 5

N u m b e r o f i n f e c t e d o b j e c t s : 9 7 / 0

N u m b e r o f s u s p i c i o u s o b j e c t s : 0

D u r a t i o n o f t h e s c a n p r o c e s s : 0 0 : 4 7 : 5 4



I n f e c t e d O b j e c t N a m e / V i r u s N a m e / L a s t A c t i o n

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 2 A C 0 0 0 0 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 5 8 8 0 0 0 0 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 6 F 0 0 0 0 0 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 6 F 8 0 0 0 0 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 8 8 0 0 0 0 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 0 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 0 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 0 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 0 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 0 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 1 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 1 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 1 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 1 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 8 9 0 0 0 0 1 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 0 . V B N / I n s t a l l e r . c l a s s I n f e c t e d : T r o j a n - D o w n l o a d e r . J a v a . O p e n C o n n e c t i o n . a o s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 0 . V B N Z I P : i n f e c t e d - 1 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 0 . V B N C r y p t Z : i n f e c t e d - 1 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 1 . V B N / I n s t a l l e r . c l a s s I n f e c t e d : T r o j a n - D o w n l o a d e r . J a v a . O p e n C o n n e c t i o n . a o s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 1 . V B N Z I P : i n f e c t e d - 1 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 1 . V B N C r y p t Z : i n f e c t e d - 1 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 2 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 2 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 2 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 2 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 2 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 3 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 3 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 3 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 3 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 3 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 4 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 5 . V B N I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 6 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 6 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 6 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 6 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 6 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 7 . V B N / d a t a . r a r / t r o f k z . R E G I n f e c t e d : T r o j a n . W i n R E G . L o w Z o n e s . a s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 7 . V B N / d a t a . r a r / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 7 . V B N / d a t a . r a r I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 7 . V B N R a r S F X : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ A l l U s e r s \ A p p l i c a t i o n D a t a \ S y m a n t e c \ N o r t o n A n t i V i r u s C o r p o r a t e E d i t i o n \ 7 . 5 \ Q u a r a n t i n e \ 0 A 8 8 0 0 0 7 . V B N C r y p t Z : i n f e c t e d - 3 s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 1 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 2 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 3 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 4 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 5 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 6 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ F X Q 6 N V 5 1 \ m t r s l i b 2 [ 7 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ G 7 A R 8 L W L \ s e a r c h i t [ 1 ] . h t m I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . S e a r c h P a g e s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ U 5 I P 0 B Y J \ m t r s l i b 2 [ 1 ] . j s I n f e c t e d : E x p l o i t . H T M L . C o d e B a s e E x e c s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ L o c a l S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ N T U S E R . D A T O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ N e t w o r k S e r v i c e \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ c e r t 8 . d b O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ h i s t o r y . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ k e y 3 . d b O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ p a r e n t . l o c k O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ s e a r c h . s q l i t e O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ u r l c l a s s i f i e r 2 . s q l i t e O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ C o o k i e s \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b c 2 e . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b d a m O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b d a o O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b e a m O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b e a o O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b m O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b u 2 d . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b v m . c f 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ d b v m h . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ f i i . c f 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ f i i h . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ h p O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ h p t 2 i . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ r p m . c f 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ G o o g l e \ G o o g l e D e s k t o p S e a r c h \ r p m h . h t 1 O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M i c r o s o f t \ W i n d o w s \ U s r C l a s s . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ C a c h e \ _ C A C H E _ 0 0 1 _ O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ C a c h e \ _ C A C H E _ 0 0 2 _ O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ C a c h e \ _ C A C H E _ 0 0 3 _ O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ A p p l i c a t i o n D a t a \ M o z i l l a \ F i r e f o x \ P r o f i l e s \ i 9 5 f e k 4 f . d e f a u l t \ C a c h e \ _ C A C H E _ M A P _ O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ H i s t o r y \ H i s t o r y . I E 5 \ M S H i s t 0 1 2 0 0 7 0 2 2 0 2 0 0 7 0 2 2 1 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ T e m p \ ~ D F 5 E 4 B . t m p O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ i n d e x . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ n t u s e r . d a t O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ n t u s e r . d a t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ D o c u m e n t s a n d S e t t i n g s \ W o n g \ x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ s d f i x o l d \ b a c k u p s \ b a c k u p s . z i p / b a c k u p s / x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ s d f i x o l d \ b a c k u p s \ b a c k u p s . z i p Z I P : i n f e c t e d - 1 s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ M o u n t P o i n t M a n a g e r R e m o t e D a t a b a s e O b j e c t i s l o c k e d s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 1 \ A 0 0 0 0 0 5 7 . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 4 . d l l I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 5 . s c r I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 6 . D L L I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . F u n W e b . d s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 7 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . z s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 8 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 4 9 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 0 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . a f s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 1 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . a f s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 2 . S C R I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 3 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . v s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 4 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 5 . E X E I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 6 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . l s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 7 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 5 9 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . f s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 0 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . a x s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 1 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 2 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . t s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 3 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . a d s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 5 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 6 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . i s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 8 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . a i s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 6 9 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . p s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 7 0 . E X E I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 7 1 . D L L I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 4 \ A 0 0 0 0 4 7 6 . d l l I n f e c t e d : n o t - a - v i r u s : A d T o o l . W i n 3 2 . M y W e b S e a r c h . p s k i p p e d

C : \ S y s t e m V o l u m e I n f o r m a t i o n \ _ r e s t o r e { 2 F 3 6 A 2 3 D - 2 9 5 B - 4 D 2 3 - B 9 6 7 - 1 E F 1 3 2 F 0 2 5 E 5 } \ R P 7 \ c h a n g e . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ D e b u g \ o a k l e y . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ D e b u g \ P A S S W D . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ C O N F L I C T . 1 \ H D P l u g i n 1 0 1 9 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . G a t o r . 1 0 1 9 s k i p p e d

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ H b I n s t I E . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . H o t B a r . b j s k i p p e d

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ H D P l u g i n 1 0 1 9 . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . G a t o r . 1 0 1 9 s k i p p e d

C : \ W I N D O W S \ D o w n l o a d e d P r o g r a m F i l e s \ W i n A d S e r v X . d l l I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n A D s k i p p e d

C : \ W I N D O W S \ m m . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . b s k i p p e d

C : \ W I N D O W S \ m m . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . c s k i p p e d

C : \ W I N D O W S \ m m . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . c s k i p p e d

C : \ W I N D O W S \ m m . e x e N S I S : i n f e c t e d - 3 s k i p p e d

C : \ W I N D O W S \ S c h e d L g U . T x t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ S o f t w a r e D i s t r i b u t i o n \ R e p o r t i n g E v e n t s . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ S t i _ T r a c e . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ A p p E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ d e f a u l t . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S A M . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S e c E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S E C U R I T Y . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s o f t w a r e . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ S y s E v e n t . E v t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m . L O G O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ c o n f i g \ s y s t e m p r o f i l e \ L o c a l S e t t i n g s \ T e m p o r a r y I n t e r n e t F i l e s \ C o n t e n t . I E 5 \ K 5 E N W P E 7 \ W k s P a t c h [ 1 ] . e x e I n f e c t e d : N e t - W o r m . W i n 3 2 . W e l c h i a . b s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ h 3 2 3 l o g . t x t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ R F E R R O R S . T X T O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ r f m s g l o g . t x t O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ I N D E X . B T R O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ w b e m \ R e p o s i t o r y \ F S \ O B J E C T S . D A T A O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ s y s t e m 3 2 \ x . b a t I n f e c t e d : T r o j a n . B A T . Z a p c h a s t s k i p p e d

C : \ W I N D O W S \ u n c a n n y . e x e / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . b s k i p p e d

C : \ W I N D O W S \ u n c a n n y . e x e / d a t a 0 0 0 3 / d a t a 0 0 0 2 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . c s k i p p e d

C : \ W I N D O W S \ u n c a n n y . e x e / d a t a 0 0 0 3 I n f e c t e d : n o t - a - v i r u s : A d W a r e . W i n 3 2 . W i n F e t c h e r . c s k i p p e d

C : \ W I N D O W S \ u n c a n n y . e x e N S I S : i n f e c t e d - 3 s k i p p e d

C : \ W I N D O W S \ w i a d e b u g . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ w i a s e r v c . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ W i n d o w s U p d a t e . l o g O b j e c t i s l o c k e d s k i p p e d

C : \ W I N D O W S \ W i n d U p . e x e I n f e c t e d : T r o j a n - D o w n l o a d e r . W i n 3 2 . W i n A D . m s k i p p e d

F : \ S y s t e m V o l u m e I n f o r m a t i o n \ M o u n t P o i n t M a n a g e r R e m o t e D a t a b a s e O b j e c t i s l o c k e d s k i p p e d



S c a n p r o c e s s c o m p l e t e d .

*****

Computer doesn't seem to run any differently.

Best regards,
catch33



Newest hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 4:23:59 AM, on 2/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\freecell.exe
C:\My Downloads\hijackthisuse_files\hijackthis.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#12 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 19 February 2007 - 03:33 PM

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

Then close all windows except HijackThis and click Fix Checked

Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is turned off.

attrib -r -s -h C:\Documents and Settings\Wong\x.bat
attrib -r -s -h C:\WINDOWS\Downloaded Program Files\HbInstIE.dll
attrib -r -s -h C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
attrib -r -s -h C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
attrib -r -s -h C:\WINDOWS\mm.exe
attrib -r -s -h C:\WINDOWS\system32\x.bat
attrib -r -s -h C:\WINDOWS\uncanny.exe
attrib -r -s -h C:\WINDOWS\WindUp.exe
del /q C:\Documents and Settings\Wong\x.bat
del /q C:\WINDOWS\Downloaded Program Files\HbInstIE.dll
del /q C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll
del /q C:\WINDOWS\Downloaded Program Files\WinAdServX.dll
del /q C:\WINDOWS\mm.exe
del /q C:\WINDOWS\system32\x.bat
del /q C:\WINDOWS\uncanny.exe
del /q C:\WINDOWS\WindUp.exe


Save it to your Desktop as cleanup.bat. Save it as:
File Type: All Files (not as a text document or it wont work).
Name: cleanup.bat

Locate cleanup.bat on your Desktop and double-click it. A DOS window will open briefly and then close, this is normal


Download and scan with SUPERAntiSypware Free for Home Users
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Post back with a new HijackThis log, the SUPERantispyware log and let me know how its running now

#13 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 19 February 2007 - 11:58 PM

Random/random,

Thanks again for your continuing help. Have not seen any warnings or instability of any sort so far.

SuperAntiSpyware log:

SUPERAntiSpyware Scan Log
Generated 02/20/2007 at 11:35 AM

Application Version : 3.5.1016

Core Rules Database Version : 3186
Trace Rules Database Version: 1196

Scan type : Complete Scan
Total Scan Time : 00:54:09

Memory items scanned : 396
Memory threats detected : 0
Registry items scanned : 5068
Registry threats detected : 0
File items scanned : 49169
File threats detected : 45

Adware.Tracking Cookie
C:\Documents and Settings\Wong\Cookies\wong@1070026478[1].txt
C:\Documents and Settings\Wong\Cookies\wong@mediaplex[2].txt
C:\Documents and Settings\Wong\Cookies\wong@qnsr[1].txt
C:\Documents and Settings\Wong\Cookies\wong@recipe[1].txt
C:\Documents and Settings\Wong\Cookies\wong@060325[1].txt
C:\Documents and Settings\Wong\Cookies\wong@73599386[1].txt
C:\Documents and Settings\Wong\Cookies\wong@pagead[3].txt
C:\Documents and Settings\Wong\Cookies\wong@pagead[2].txt
C:\Documents and Settings\Wong\Cookies\wong@try.starware[1].txt
C:\Documents and Settings\Wong\Cookies\wong@060302[1].txt
C:\Documents and Settings\Wong\Cookies\wong@www.burstnet[1].txt
C:\Documents and Settings\Wong\Cookies\wong@atdmt[2].txt
C:\Documents and Settings\Wong\Cookies\wong@azjmp[1].txt
C:\Documents and Settings\Wong\Cookies\wong@adtech[1].txt
C:\Documents and Settings\Wong\Cookies\wong@nextag[2].txt
C:\Documents and Settings\Wong\Cookies\wong@ads.addynamix[1].txt
C:\Documents and Settings\Wong\Cookies\wong@mywebsearch[2].txt
C:\Documents and Settings\Wong\Cookies\wong@81565442[1].txt
C:\Documents and Settings\Wong\Cookies\wong@partner2profit[1].txt
C:\Documents and Settings\Wong\Cookies\wong@edge.ru4[2].txt
C:\Documents and Settings\Wong\Cookies\wong@www.mediacorpradio[1].txt
C:\Documents and Settings\Wong\Cookies\wong@msnportal.112.2o7[1].txt
C:\Documents and Settings\Wong\Cookies\wong@cgi-bin[2].txt
C:\Documents and Settings\Wong\Cookies\wong@hitbox[1].txt
C:\Documents and Settings\Wong\Cookies\wong@N2614.MSN[1].txt
C:\Documents and Settings\Wong\Cookies\wong@questionmarket[2].txt
C:\Documents and Settings\Wong\Cookies\wong@belnk[1].txt
C:\Documents and Settings\Wong\Cookies\wong@track.searchignite[1].txt
C:\Documents and Settings\Wong\Cookies\wong@2o7[1].txt
C:\Documents and Settings\Wong\Cookies\wong@76107362[1].txt
C:\Documents and Settings\Wong\Cookies\wong@mediacorp.com[1].txt
C:\Documents and Settings\Wong\Cookies\wong@060324[1].txt
C:\Documents and Settings\Wong\Cookies\wong@pagead[1].txt
C:\Documents and Settings\Wong\Cookies\wong@1072707489[1].txt
C:\Documents and Settings\Wong\Cookies\wong@doubleclick[1].txt
C:\Documents and Settings\Wong\Cookies\wong@1069266559[1].txt
C:\Documents and Settings\Wong\Cookies\wong@N2335.MSN[1].txt
C:\Documents and Settings\Wong\Cookies\wong@ad[1].txt
C:\Documents and Settings\Wong\Cookies\wong@burstnet[2].txt
C:\Documents and Settings\Wong\Cookies\wong@adv.webmd[1].txt
C:\Documents and Settings\Wong\Cookies\wong@dist.belnk[2].txt
C:\Documents and Settings\Wong\Cookies\wong@ehg-greendot.hitbox[1].txt
C:\Documents and Settings\Wong\Cookies\wong@h.starware[2].txt
C:\Documents and Settings\LocalService\Cookies\system@banner2.inet-traffic[1].txt

Adware.HotBar (Low Risk)
C:\WINDOWS\Downloaded Program Files\HbInstIE.dll

Newest HiJackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:44:32 PM, on 2/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\hijackthisuse_files\hijackthis.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

*****

Best regards,
catch33

#14 random/random

random/random

    MRU Expert

  • Malware Expert
  • 481 posts

Posted 20 February 2007 - 04:35 AM

Did you set these yourself?

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://delspysoft.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://delspysoft.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://delspysoft.com

If not then I suggest you fix them with HijackThis

Aside from that it looks clean

You now appear to be clean. Congratulations!

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
  • Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot.

    Turn ON System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.
    NOTE: only do this ONCE,NOT on a regular basis
  • Keep your antivirus updated
  • Use a firewall
    While the firewall built into windows XP will protect you from incoming attacks, it will not monitor outgoing connections
    It is therefore recommended that you install one of the following firewalls
    Sunbelt kerio personal firewall
    Zonealarm
  • Keep windows up to date with the latest patches


    IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

    If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
  • Install spywareblaster
    Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
    kill bits
    in the registry, so that certain activex controls can't install.
    If you don't know what activex controls are, see here
    You can download SpywareBlaster here here
    Make sure to update it on a regular basis
  • Install IE-SPYAD
    Dowload and instructions located here
    Make sure to update it on a regular basis
  • Use a HOSTS file
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    • Click the start button (at the lower left hand corner of your screen)
    • Click run
    • In the dialog box, type services.msc
    • hit enter, then locate dns client
    • Highlight it, then double-click it.
    • On the dropdown box, change the setting from automatic to manual.
    • Click ok
  • Install and use Ad-aware & Spybot search & destroy
    Instructions are located here
    Make sure to update them on a regular basis
  • Most exploits are aimed at internet explorer, so I recommend you switch to an altenative browser
    Two good alternative browsers are
    Firefox
    Opera
    It is essential to update to the latest version of your browser, as the updates fix known security holes
  • Even if you do decide to switch to another browser, it is still a good idea to lock down Internet explorer
    This can be done by following these simple instructions:
    From within Internet Explorer click on the Tools menu and then click on Options.
    Click once on the Security tab
    Click once on the Internet icon so it becomes highlighted.
    Click once on the Custom Level button.
    Change the Download signed ActiveX controls to Prompt
    Change the Download unsigned ActiveX controls to Disable
    Change the Initialize and script ActiveX controls not marked as safe to Disable
    Change the Installation of desktop items to Prompt
    Change the Launching programs and files in an IFRAME to Prompt
    Change the Navigate sub-frames across different domains to Prompt
    Change the allow paste operations via script to Disable
    When all these settings have been made, click on the OK button.
    If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.
  • Clean out you temp file on a regular basis
    I use and recommend ATF Cleaner by Attribune
    To use it, follow these instructions
    • Double-click ATF-Cleaner.exe to run the program.
    • Click Main at the top and choose Select All from the list.
    • Click the Empty Selected button.
    If you use Firefox browser:
    • Click Firefox at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser:
    • Click Opera at the top and choose Select All from the list.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main menu to close the program.
  • Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date


#15 catch33

catch33

    New Member

  • Authentic Member
  • Pip
  • 10 posts

Posted 21 February 2007 - 04:03 AM

Random/random,

Thanks for all your help. Will continue to implement your to-do list. In the meanwhile...

Newest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:04 PM, on 2/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\My Downloads\hijackthisuse_files\hijackthis.exe.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.singnet.com:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by21fd.bay21....es/MsnPUpld.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

*****

Best regards,
catch33

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users