Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Someone Get Rid Of This B*stard, Please!


  • This topic is locked This topic is locked
13 replies to this topic

#1 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 07 May 2007 - 05:42 AM

Hi!

So, this started a couple weeks ago or so. Pop-up windows appear every 2-3 minutes whenever there is a browser window open (closing the browser stops it). Most pop-ups are blocked by IExplorer; some of them, however, succeed to show me their ugly face. They show ads such as cosmomovie.com, socialnetworkcenter.com, IP 85.17.3.250, and many versions of Win Antivirus. I also get requests from strangers in Messenger, but i don't know if that's relevant.

Ad-aware finds nothing.

And worst of all: i cannot restore my system. When i try, on the reboot, the Restoring window reads it was unable to restore it. I have tried with several restore points.

This HJT log was taken right after rebooting:

Logfile of HijackThis v1.99.1
Scan saved at 13:27:09, on 07/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\ie.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
c:\archivos de programa\internet explorer\iexplore.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: (no name) - {1041e5f8-a381-47fe-a1fe-c9c596b908d1} - C:\WINDOWS\system32\ati2src.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Inicio rápido de Adobe Reader.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 194.179.1.100,194.179.1.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ati2src - C:\WINDOWS\SYSTEM32\ati2src.dll
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe

    Advertisements

Register to Remove


#2 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 08 May 2007 - 11:26 AM

el_edgar :D

Welcome to the forum. Please refrain from using any foul language even in its brief form. You have two major infections of the worst kind along with a possible Rootkit infection, its a wonder your computer even starts up at all.

This is going to be a mouthful so I suggest you print this out.

Open HijackThis > Do a System Scan Only, close your browser and all open windows, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O4 - HKLM\..\Run: [ASocksrv] SocksA.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 194.179.1.100,194.179.1.101
O17 - HKLM\System\CS1\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254
O17 - HKLM\System\CS2\Services\Tcpip\..\{19D34BC0-3755-494F-AB76-55F429A6F37F}: NameServer = 80.58.61.250,80.58.61.254



Your computer has been hijacked by the lovely people in the Ukraine, you are infected with Wareout.

85.255.112.0 - 85.255.127.255
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine




Please download FixWareout from one of these sites:
FixWareout Subratam
FixWareout Lonny
  • Save it to your desktop and run it.
  • Click Next, then Install,
  • Then make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please do so.
  • Your system may take longer than usual to load; this is normal.
  • At the end of the fix, you may need to restart your computer again.
Save the contents of the logfile C:\fixwareout\report.txt and post it into your next reply.

Now lets check some settings on your system. For (2000/XP) Only)
  • Go to Start > control panel.
  • If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections.
  • Then right click on your default connection, usually local area connection for cable and dsl.
  • Left click on properties.
  • Click the Networking tab.
  • Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
  • Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be available on some systems
  • Next Go start> Run type cmd and hit OK
  • Type in ipconfig /flushdns then hit enter
    (that space between g and / is needed)
  • Type exit hit enter

For the next infection, run this program.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log





Post the results of the Wareout log , the SDfix log and a New HJT log. Keep in mind that this is just the tip of the iceburg.

Edited by ken545, 08 May 2007 - 11:59 AM.


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#3 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 08 May 2007 - 04:20 PM

Hi!

Phew! OK, done everything. Well except one thing: the part of switching to automatic DNS... That option i could not toggle. I did flush the dns's, but then my Internet connection wouldn't work. So i got back to the tcp/ip properties and typed the DNS provided by the router documentation, so i could continue with the process.

Here are the logs:

FIXWAREOUT report:

Fixwareout Last edited 4/5/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustota...h/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"AtiPTA"="atiptaxx.exe"
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\rqpopq.dll\",realset"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


SDFIX report:


SDFix: Version 1.83

Run by Edgar Cantero - 08/05/2007 - 23:34:14,67

Microsoft Windows XP [Versi¢n 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp1.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp2.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp3.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp4.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp4E.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp5.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmp6.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmpB.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmpC.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\tmpD.tmp.exe - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\abc123.pid - Deleted
C:\DOCUME~1\EDGARC~1\CONFIG~1\Temp\autorun.inf - Deleted
C:\WINDOWS\ie.exe - Deleted
C:\WINDOWS\s.exe - Deleted
C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system\smss.exe - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\system32\ipv6monl.dll - Deleted
C:\WINDOWS\system32\ipv6monp.dll - Deleted
C:\WINDOWS\system32\ipv6monq.dll - Deleted
C:\WINDOWS\system32\ipv6monr.dll - Deleted
C:\WINDOWS\system32\ipv6mons.dll - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Edgar Cantero\\Mis documentos\\Mis programas\\eMule\\emule.exe"="C:\\Documents and Settings\\Edgar Cantero\\Mis documentos\\Mis programas\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Archivos de programa\\eMule\\emule.exe"="C:\\Archivos de programa\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Archivos de programa\\Telefonica\\KitAIM\\AimExDll.exe"="C:\\Archivos de programa\\Telefonica\\KitAIM\\AimExDll.exe:*:Enabled:Aplicación MFC AimExDLL"
"C:\\Archivos de programa\\Telefonica\\KitAIM\\AimMon.exe"="C:\\Archivos de programa\\Telefonica\\KitAIM\\AimMon.exe:*:Enabled:Aplicación MFC AIMMon"
"C:\\Archivos de programa\\GlobalSCAPE\\CuteFTP\\Cutftp32.exe"="C:\\Archivos de programa\\GlobalSCAPE\\CuteFTP\\Cutftp32.exe:*:Enabled:Winsock FTP Client"
"C:\\mIRC\\mirc.exe"="C:\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Archivos de programa\\Autodesk\\backburner\\monitor.exe"="C:\\Archivos de programa\\Autodesk\\backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Archivos de programa\\Autodesk\\backburner\\manager.exe"="C:\\Archivos de programa\\Autodesk\\backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Archivos de programa\\Autodesk\\backburner\\server.exe"="C:\\Archivos de programa\\Autodesk\\backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\\WINDOWS\\ie.exe"="C:\\WINDOWS\\ie.exe:*:Enabled:ie.exe"
"C:\\Archivos de programa\\Ahead\\Nero ShowTime\\ShowTime.exe"="C:\\Archivos de programa\\Ahead\\Nero ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Documents and Settings\\Edgar Cantero\\Mis documentos\\Mis juegos\\Quake III Arena\\quake3.exe"="C:\\Documents and Settings\\Edgar Cantero\\Mis documentos\\Mis juegos\\Quake III Arena\\quake3.exe:*:Disabled:quake3"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\78exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\78exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\31exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\31exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\47exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\47exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\62exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\62exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\48exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\48exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\92exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\92exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\43exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\43exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\96exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\96exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\56exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\56exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\88exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\88exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\51exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\51exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\44exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\44exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\Archivos de programa\\BitComet\\BitComet.exe"="C:\\Archivos de programa\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\10exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\10exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\57exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\57exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\15exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\15exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\21exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\21exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\53exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\53exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\38exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\38exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\12exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\12exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\22exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\22exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\72exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\72exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\59exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\59exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\95exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\95exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\29exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\29exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\58exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\58exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\99exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\99exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\1exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\1exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\42exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\42exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\4exmodul32f.i.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\4exmodul32f.i.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\31exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\31exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\93exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\93exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\30exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\30exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\20exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\20exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\33exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\33exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\9exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\9exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\38exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\38exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\92exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\92exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\26exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\26exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\19exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\19exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\10exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\10exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\54exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\54exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\56exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\56exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\69exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\69exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\67exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\67exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\65exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\65exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\7exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\7exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\35exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\35exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\12exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\12exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\17exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\17exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\89exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\89exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\80exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\80exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\99exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\99exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\53exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\53exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\29exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\29exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\48exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\48exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\70exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\70exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\39exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\39exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\51exmodul32f.k.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\51exmodul32f.k.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\17exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\17exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\11exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\4exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\4exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\74exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\32exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\69exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\69exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\52exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\52exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\94exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\81exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\9exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\9exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\90exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\16exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\70exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\70exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\95exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\95exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\41exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\82exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\88exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\88exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\71exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.l.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.l.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\42exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\42exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\34exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\68exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\18exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\14exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\64exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\91exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\91exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\76exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\39exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\39exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\28exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\28exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\59exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\59exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\3exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\3exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\84exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\84exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\40exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\36exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\36exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\75exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\46exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\46exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\96exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\96exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\8exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\43exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\43exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\83exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\63exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\49exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\37exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\98exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\62exmodul32f.m.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\62exmodul32f.m.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\87exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\86exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\54exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\54exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\97exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\19exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\19exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\27exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\45exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\67exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\67exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\5exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\79exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\2exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\2exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\25exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\85exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\24exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\50exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\58exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\58exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\30exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\30exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\6exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\55exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\77exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\47exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\47exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\\13exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.n.exe"="C:\\DOCUME~1\\EDGARC~1\\CONFIG~1\\Temp\exmodul32f.n.exe:*:Enabled:Microsoft Update"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Archivos de programa\\TrackMania Sunrise Extreme Demo\\TmSunriseExtremeDemo.exe"="C:\\Archivos de programa\\TrackMania Sunrise Extreme Demo\\TmSunriseExtremeDemo.exe:*:Disabled:TmSunriseExtremeDemo"
"C:\\Archivos de programa\\TrackMania Original Demo\\TmOriginalDemo.exe"="C:\\Archivos de programa\\TrackMania Original Demo\\TmOriginalDemo.exe:*:Enabled:TmOriginalDemo"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe"="C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Archivos de programa\\MSN Messenger\\livecall.exe"="C:\\Archivos de programa\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------
C:\WINDOWS\system32\rsvp32_2.dll Found - Check LSP chain!

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\COMMAND.COM
C:\Archivos de programa\Accesorios\mspcx32.dll
C:\Archivos de programa\Accesorios\HyperTerminal\hticons.dll
C:\Archivos de programa\Accesorios\HyperTerminal\hypertrm.dll
C:\tel.xls.exe
C:\hhxjaezn.sys
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis basuras\~WRL1497.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis basuras\~WRL2748.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis basuras\Mis premios literarios\~WRL1579.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis basuras\Mis premios literarios\~WRL1720.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL0522.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL1223.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL1444.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL1457.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2046.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2263.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2441.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2511.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2673.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2774.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL2858.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL3264.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\~WRL3347.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis documentos\Liza\~WRL1273.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis estudios\~WRL1527.tmp
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis estudios\~WRL2703.tmp
C:\WINDOWS\SYSTEM32\config\default.tmp.LOG
C:\WINDOWS\SYSTEM32\config\software.tmp.LOG
C:\WINDOWS\SYSTEM32\config\system.tmp.LOG

Finished


and finally, new HIJACKTHIS report:

Logfile of HijackThis v1.99.1
Scan saved at 0:11:34, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: (no name) - {1041e5f8-a381-47fe-a1fe-c9c596b908d1} - C:\WINDOWS\system32\ati2src.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\tmp2.tmp.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\rqpopq.dll",realset
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 62.151.2.8,62.151.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ati2src - C:\WINDOWS\SYSTEM32\ati2src.dll
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe


Just tell me what next.

And thanks a lot in advance!

#4 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 08 May 2007 - 04:46 PM

Your doing well :thumbup:

Please download VundoFix.exe to your desktop
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

I need the Vundo report and a New HJT log please


 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#5 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 08 May 2007 - 06:16 PM

Done!

VUNDOFIX.txt :

VundoFix V6.3.21

Checking Java version...

Sun Java not detected
Scan started at 2:00:01 09/05/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp2.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!




And now, the HIJACKTHIS log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:44, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: (no name) - {1041e5f8-a381-47fe-a1fe-c9c596b908d1} - C:\WINDOWS\system32\ati2src.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\rqpopq.dll",realset
O4 - HKLM\..\Run: [ASocksrv] SocksA.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 62.151.2.8,62.151.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: ati2src - C:\WINDOWS\SYSTEM32\ati2src.dll
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe


More! More!

#6 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 08 May 2007 - 06:37 PM

Still more to do, it may take a few more scans to get rid of this junk.


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#7 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 08 May 2007 - 06:46 PM

After you run Combofix and post the report, do two more things.

Download and Install CCleaner
If you don't want the Yahoo Toolbar, be sure to uncheck it during installation
* Click on Run Cleaner
* Run the Issues Scan < -- After it scans your system, when you click on the Fix button and it asks you to backup the Registry..Say Yes
Tutorial for CCleaner


Then update your Java to close any holes for this stuff to get in.
  • Your Java is out of date and leaving your system vulnerable.
  • Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
  • It should have an icon next to it:
    Posted Image
    Select it and click Remove.
  • Reboot your system.
  • Then go to the Sun Microsystems and install the update
  • Java Runtime Environment Version 6 Update 1 <--This is what you need to download and install.
  • If you chose the online installation, it will prompt you to run the program.
  • If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
  • Then after install you can verify your installation here Sun Java Verify
I like to to do the offline installation and save the setup file in case I may need it in the future

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#8 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 09 May 2007 - 04:44 AM

Hi again!

COMBOFIX report:

"Edgar Cantero" - 2007-05-09 12:19:26 Service Pack 2
ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Edgar Cantero\Escritorio\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ati2src.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rsvp32_2.dll
c:\autorun.inf
c:\tel.xls.exe
C:\WINDOWS\system32\filekan.exe
C:\WINDOWS\system32\socksa.exe
C:\WINDOWS\backinf.tab
C:\WINDOWS\session.exe
C:\WINDOWS\svchost.exe
C:\WINDOWS\ufdata2000.log
C:\WINDOWS\system32\lsasss.exe


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_IPRIP
-------\Iprip


((((((((((((((((((((((((((((((( Files Created from 2007-04-09 to 2007-05-09 ))))))))))))))))))))))))))))))))))


2007-05-09 02:44 221,184 --a------ C:\WINDOWS\SYSTEM32\wmpns.dll
2007-05-09 02:36 <DIR> d-------- C:\Archivos de programa\MSXML 4.0
2007-05-09 02:00 <DIR> d-------- C:\VundoFix Backups
2007-05-08 13:48 106,768 --a------ C:\WINDOWS\rqpopq.dll
2007-05-07 17:08 <DIR> d-------- C:\WINDOWS\pss
2007-05-06 20:54 <DIR> d-------- C:\DOCUME~1\EDGARC~1\DATOSD~1\Uniblue
2007-05-06 19:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DATOSD~1\Spybot - Search & Destroy
2007-05-06 19:26 <DIR> d-------- C:\Archivos de programa\Uniblue
2007-04-17 00:39 <DIR> d-------- C:\Archivos de programa\Ultimate Stunts


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-09 10:11:55 68,914 ----a-w C:\WINDOWS\system32\perfc00A.dat
2007-05-09 10:11:55 440,040 ----a-w C:\WINDOWS\system32\perfh00A.dat
2007-05-09 00:49:52 -------- d-----w C:\Archivos de programa\Messenger
2007-05-08 23:46:28 -------- d-----w C:\Archivos de programa\eMule
2007-05-05 16:18:51 -------- d-----w C:\DOCUME~1\EDGARC~1\DATOSD~1\Canon
2007-04-29 17:20:52 -------- d-----w C:\Archivos de programa\Terragen
2007-04-28 00:46:09 -------- d-----w C:\Archivos de programa\ACD Systems
2007-04-28 00:46:05 -------- d-----w C:\Archivos de programa\Archivos comunes\ACD Systems
2007-04-06 20:37:35 -------- d-----w C:\Archivos de programa\FreeRIP2
2007-04-06 20:31:48 -------- d-----w C:\Archivos de programa\Blaze Media Pro
2007-04-05 21:28:32 37,630 ----a-w C:\WINDOWS\system32\NeroCheck.exe
2007-04-05 14:10:34 -------- d--h--w C:\Archivos de programa\InstallShield Installation Information
2007-04-05 13:27:15 -------- d-----w C:\Archivos de programa\Viewpoint
2007-04-04 19:24:12 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-03-31 00:02:48 -------- d-----w C:\Archivos de programa\Ant Renamer
2007-03-30 23:04:46 -------- d-----w C:\DOCUME~1\EDGARC~1\DATOSD~1\Brennig's
2007-03-30 20:30:32 -------- d-----w C:\Archivos de programa\Web CEO
2007-03-30 17:52:11 -------- d-----w C:\DOCUME~1\EDGARC~1\DATOSD~1\ACD Systems
2007-03-30 17:09:16 -------- d-----w C:\Archivos de programa\Google
2007-03-30 10:05:18 10,368 ------w C:\WINDOWS\system32\drivers\pfc.sys
2007-03-19 19:50:38 26 ----a-w C:\WINDOWS\popcinfo.dat
2007-03-17 19:52:41 -------- d-----w C:\Archivos de programa\Core Design
2007-03-17 13:45:06 293,376 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-09 19:22:13 -------- d-----w C:\DOCUME~1\EDGARC~1\DATOSD~1\uk.co.planetside
2007-03-08 15:36:30 578,560 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:30 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:30 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 15:32:46 1,843,712 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-02 20:35:30 164,352 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-02-10 17:22:42 8,704 ----a-w C:\WINDOWS\system32\sporder.dll
2007-02-10 17:22:12 69,120 ----a-w C:\WINDOWS\bul.exe
2007-02-10 17:21:53 92,888 ----a-w C:\WINDOWS\ho1.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"AtiPTA"="atiptaxx.exe"
"SunJavaUpdateSched"="\"C:\\Archivos de programa\\Java\\jre1.5.0_11\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Archivos de programa\\MSN Messenger\\msnmsgr.exe\" /background"


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\
Security Packages kerberosmsv1_0schannelwdigest\
Notification Packages scecli\



HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\asocksrv
SocksA.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mspy2002
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002a
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\phime2002async
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\soundman
SOUNDMAN.EXE


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter HTTPFilter\
LocalService AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService DnsCache\
DcomLaunch DcomLaunchTermService\
rpcss RpcSs\
imgsvc StiSvc\
termsvcs TermService\
p2psvc p2psvcp2pimsvcp2pgasvcPNRPSvc\

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
Shell\Auto\command C:\tel.xls.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{04e46f20-224c-11db-89c0-000244a98515}]
Shell\1\Command F:\.\RECYCLER\RECYCLER\autorun.exe
Shell\2\Command F:\.\RECYCLER\RECYCLER\autorun.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL .\RECYCLER\RECYCLER\autorun.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{afa404b4-708d-11da-938f-000244a98515}]
Shell\Auto\command F:\tel.xls.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b3941a4c-e832-11da-9457-000244a98515}]
Shell\Auto\command F:\tel.xls.exe
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL tel.xls.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC Nag.job
C:\WINDOWS\tasks\Uniblue SpeedUpMyPC.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-09 12:36:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 2007-05-09 12:39:50 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-09 12:39






And new HIJACKTHIS log:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:30, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 62.151.2.8,62.151.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs:
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe



On to the CC cleaner and the Java thing...

#9 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 09 May 2007 - 05:24 AM

Things are coming along well :thumbup: I appreciate all your quick responses and the feedback, your helping me help you.

Remove this with HJT
O20 - AppInit_DLLs:


Post a new HJT log and let me know how your system is running now.

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#10 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 09 May 2007 - 06:16 AM

Whoops!

On trying to delete the entry you told me, i got this message:

An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: )
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.


I closed HJT, restarted it, did another scan, and the entry had disappeared -- but a new one is taking its place; here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 14:10:17, on 09/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 62.151.2.8,62.151.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe


The computer is doing OK, as far as i know. IE has been open for 15 minutes right now, and no pop-ups have attempted to emerge. (When i posted here first, they appeared swiftly after 2-3 minutes of internet browsing.) However, you implied the problems in the computer were far worse than that.

The system is quite slow, but that's not new. Besides, i just found out about disk defragging weeks ago; i promised myself to do it more often, and i will as soon as you consider this unit clean. :D

Thanks very, very much! What next?!

#11 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 09 May 2007 - 10:17 AM

How are things in Madrid ?? Your log looks fine :thumbup: Lets do this, why don't you just use your computer for a couple of days and make sure nothing comes back. In a couple of days, post a new HJT log and let me know how your doing. Ken :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#12 el_edgar

el_edgar

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 11 May 2007 - 07:52 PM

Hello again!

I think this works fine. I've been using it for a couple of days with no incidences.

Here's a HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:46:37, on 12/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Ahead\Nero ShowTime\ShowTime.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Edgar Cantero\Mis documentos\Mis programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp4: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Archivos de programa\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C86B6A04-06D1-4864-B0DF-BBFD267D55A1}: NameServer = 62.151.2.8,62.151.8.100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WBSrv - C:\ARCHIV~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1150\Intel 32\IDriverT.exe

The only thing worrying me is that process, lsass.exe. It doesn't seem to do any bad, but anyway, what is it?

Thank you very, very much for everything! Donation's on the way!

#13 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 11 May 2007 - 08:16 PM

I think this works fine. I've been using it for a couple of days with no incidences.

Posted Image


The rest of your log looks clean :thumbup:

C:\WINDOWS\system32\lsass.exe
http://www.processli...ry/files/lsass/




How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.


Here are some free programs to install, don't leave home without them
  • Spybot Search and Destroy 1.4
    Check for Updates/ Immunize and run a Full System Scan on a regular basis.
  • Ad-Aware SE Personal 1.06
    Check for Updates and run a Full System Scan on a regular basis.
  • Spyware Blaster It will prevent most spyware from ever being installed.
  • Spyware Guard It offers realtime protection from spyware installation attempts.
  • Win Patrol This program will warn you when any changes are being made to your system and give you the option to deny the change.
  • IE-Spyad
    IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 2.0 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
  • Zone Alarm Here is a free Firewall from Zone Labs, I wouldn't access the internet without it.
Thanks for stopping by Tom Coyote , I'm glad I was able to help you. :D

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

#14 ken545

ken545

    Forum God

  • Retired Classroom Teacher
  • 23,225 posts
  • Interests:Fighting Malware and cooking some great Italian and TexMex food
  • MVP

Posted 17 May 2007 - 09:33 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

 
 
The forum is staffed by volunteers who donate their time and expertise.
If you feel you have been helped, please consider a donation.
donate.gif
 
Find us on Facebook
Please LIKE and SHARE
 
 
Just a reminder that threads will be closed if no reply in 3 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users