Welcome Guest ( Log In | Register )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide.
      
 
 Reply to this topicStart new topic
unable to remove spyware/trojans please help, clicker.fr generic.xks generic.xfv
darksource
post Jul 27 2006, 03:31 AM
Post #1


New Member
*
Posts: 7
OS: xp
Hello, I'm having difficulty in removing some spyware/trojans from my computer.
I have AVG and it keeps notifying me that my computer is infected with the following: clicker.fr, generic.xks, and generic.xfv

I'm unable to heal/move them to the vault and haven't been able to get rid of them with any other program.
I've ran CWShredder, Ad-aware, clean up, and Ewido...
and I've read the "you must read this before posting" thread.

please, any help would be much appreciated... these thinsg are really messing up my computer.



Logfile of HijackThis v1.99.1
Scan saved at 2:29:27 AM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Elliott\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmuxb.exe] C:\WINDOWS\system32\dmuxb.exe
O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe
O4 - HKLM\..\Run: [cbdye.exe] C:\WINDOWS\system32\cbdye.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F91695C-126F-4129-B4F5-D4AA77F3045D}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B15CD15-1B9F-4DC3-BC51-0ECF9DD29292}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A5FA5F-2244-4D70-ABFD-7F8951A0E7A7}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451812D-B508-4348-9880-FCA22A69D7B9}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\..\{0F5A8814-BE8E-44A2-9F95-C08A8C8773EA}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Go to the top of the page
 
+Quote Post
darksource
post Jul 27 2006, 05:56 AM
Post #2


New Member
*
Posts: 7
OS: xp
Sorry, this is not intended as a 'bump', so please don't delete/ban me.
I ran more tests in Safe Mode and cleared out more stuff, however, my computer is still having problems particularly something that has taken over my desktop background. it also will lose internet connection temporarily and all kinds of ads will pop up.
I've ran adawave, avg, ewido, cleanup!, cwshredder, and spysweeper.
thank you so much for your time

here are the latest logfiles for (this order):

Ewido
----
Spysweeper
----
HijackThis


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:15:43 PM 7/27/2006

+ Scan result:



C:\WINDOWS\system32\{A01B22DE-B60C-451C-9717-9791599A882D}.exe -> Adware.Raze : Cleaned with backup (quarantined).
C:\Documents and Settings\Elliott\My Documents\!Downloads!\Program Installers\EvID4226Patch223d-en.zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Ignored.
D:\My Documents\!Downloads!\Program Installers\EvID4226Patch223d-en.zip/EvID4226Patch.exe -> Not-A-Virus.Hacktool.EvID : Ignored.
:mozilla.35:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.51:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.12:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.13:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.25:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.59:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.60:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.64:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.52:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.53:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.54:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.55:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.56:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.15:C:\Documents and Settings\Elliott\Application Data\Mozilla\Firefox\Profiles\lzlnagef.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\WINDOWS\system32\arukl.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cbdye.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0C31D9AF-B563-4E94-8CDE-5141497C64EE}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1393517D-990D-432E-A134-0AB2DF501AE2}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{199BEA12-1C37-4FBE-B2B0-99A4C4F15219}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{19BED581-91E9-4294-9D9F-761500BD6873}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1BF7A32D-E117-418B-9736-D6F3025AF036}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1C78778F-1D5E-4AB8-BCCB-FE3DFA8AE287}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{20B86DA3-D7EA-4A81-9E44-332C5D48E6D3}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{22C366B0-4ADE-4F3B-8A06-4EDB8899A964}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{26EFD388-8DA6-46FC-831B-E94B504A95B8}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{32504C07-1881-4003-AFDB-8C7AE37C58E3}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{333DDDE2-E981-4FA9-878D-2137CD4456C4}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3644460C-2268-46D5-9229-F48D7DB187B7}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3E8F8BD6-5B3B-4918-A6B8-2C0810DD38A6}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{4006AC5E-4760-484F-B0FC-C7B3010E197F}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{42563A0E-08C9-4E28-A344-B57FB746C5AA}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{491FA7CD-546A-4256-9C23-2F99F2774BC7}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{5494C9E4-8A86-4F77-AECF-75EAC3319452}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{5638530E-196C-437D-A053-61620DC00B36}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{57AF5325-6246-4EBF-A4B5-687762CE8A5D}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{582DBE33-070E-4DD5-9323-B1159BD91F38}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{6060D2DD-7C39-4F6F-8677-4228BEA4C21A}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{64A6ED09-FA5E-47E8-A5E1-72F21D500275}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{6CE98D78-DA6D-466F-8258-1092506AE872}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8221BFD4-2F60-4472-81FA-B242C47AC43B}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8338DA02-46A4-4ECB-B11F-93788ECD91F7}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{84EC836F-6151-4C6B-AC23-212CC34B6567}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{850E90EA-879C-4A31-A4AF-E963C0314D0E}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{85E7B1BF-BD7C-4615-8734-34D343188DB6}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8BA19F3C-A59E-4792-9A50-C3BEB8FCA684}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8CD3E542-4187-471C-BE27-14659A7E35DB}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{947E6633-715E-485A-A2DD-D06F6895F5AD}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{96D81C62-6F54-4787-8670-4463C25E09B8}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{991EA4B6-44CE-4C0B-9CA2-7DE4E5517164}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{9BBBB7FE-30FF-4EC8-B0B1-22A3B37CB5BF}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{A11DFB66-C332-41C7-9237-7B46B22C8567}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{A1867FEF-6D60-4D3B-911C-AFF59B89EB43}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B0030000-8F65-4B87-9CAF-F179173192ED}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B16ED35D-1016-4399-A1C8-88C6F96963C0}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B1D5CD46-8E52-4A68-8B15-C4478F72C3D9}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B8B40FC0-5E4A-43DD-B629-784932259519}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{BD7A6911-0B5F-4ABA-A220-5410B02585E4}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{C5055764-7A3D-498E-B130-C92FC30A64EF}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{C96DD829-E6E2-4F31-8377-6F839C090F16}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{CAD97399-79BE-4A1F-BAE4-5B911367E4D4}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{CB605FA9-79BA-425F-BF1F-8421FF83F382}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{CB88915D-59D0-4D08-99EE-2BCB20720BE6}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{D1B72892-B034-4532-BE72-0DD0B7FB5423}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{D2F7B9D1-41DA-4A50-B69D-01BB1FC5CB78}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{D73611B4-7777-4885-9338-E0811804F00C}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E162369B-252C-41DD-BC2C-19B407F9371B}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{EC1D8627-EC08-4725-8232-38961DB346D8}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{FCD77923-370A-499E-9B18-09D93B56E4DF}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0319696D-050C-40E8-B3DB-4B085A8AF905}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{07DE21EB-98D9-45FF-994A-1DB585976D77}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0AC1AB08-8BEA-478C-B8FB-4BB97B23B3D5}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0B19C9B6-66E2-4066-8246-16E1A1C35F87}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{0CA66D91-5EB9-4B3B-8E4C-2F3F4B860ABA}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1C7F63DD-2036-4108-B589-93494C3D643A}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1F93B316-F166-4B50-B5A6-D98BF8F52341}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{1FE55D4E-979F-4A72-B75E-51C08B792BAA}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{29CB403F-F0C0-42B0-9A1D-540C17F6F50F}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{2A79A1B7-AD61-4138-B5C9-B02506E1E293}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{2B693E15-6926-4D6B-B2EB-F15CC5CD4913}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{31F77108-B03B-4D60-A040-2657919FD85A}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{33DF6BD8-B395-4797-8550-38703A476F96}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{36252E36-DB3E-4E67-8D0E-9BD0EAF6617B}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{385AF3F4-009D-4B7C-8BBA-F265F44386C5}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{3F99148C-E503-4DAE-A9D9-0A89D32ED1F1}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{4101D0DA-71B5-47EA-B2F5-C25A59D94E33}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{41950DF8-68B7-4F82-916B-95BA16B2CA7C}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{4AEB315D-BF28-4E9E-A6B8-16137CFAA5A0}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{4C0EB07C-631E-4010-B917-89251A383401}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{4FF84102-FE37-4A80-A654-0565CC8C5338}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{504CAA9A-658F-45E5-BF32-315C6663FADE}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{52D349BD-114A-47A3-B3B2-5329FDF16D17}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{57DB018D-391A-42AB-88C8-D64233DF4AAC}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{5FB07143-43A5-4838-A68D-20C74CBD0395}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{633D63E2-D636-4F2C-94CC-BBBB7FAB9DD5}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{6464DDCB-A4AE-4890-8A0C-D46B9CAE3CEB}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{646CFC1A-1E58-41E8-A39E-10BF712DFA0D}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{648E6EC6-8831-4313-8CDA-71AA26CE6BA4}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{68C8B764-89C4-43E7-8C65-2EE3B62A12F9}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{692FE315-1373-4A3C-A1A4-7B5C0E4FFE08}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{6FF4B5C0-877C-4427-9E61-EF0E79BEAC57}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{7E57A4D2-A133-401E-A9CF-1E2DB34EEE70}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{81008283-60FC-4D8F-A5AE-CBC2B9738F36}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{8921E03B-C859-4C0D-BD68-1932D6EB7F32}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{95E429F5-52B6-478E-A310-97D955FAF319}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{A457025B-C3CD-40E7-8826-0F536FCD8483}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{AB40A143-1439-4CB8-9337-86C52DA18B1A}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{AD32C7C2-F888-422B-9174-F222CAF9E464}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B12D3CDD-482E-4F3D-8A9A-0D8D2B0E62E5}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{B6AE61C5-82DB-43A9-91A6-D75B24E2C5ED}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{CDAA661C-D517-4771-A493-8704FDC4ADC0}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{CE82AEF5-C3AA-4187-B112-91C9116E347F}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{D143ADFE-E52B-44F3-B447-2D7C2BBC210E}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{D75CF7A3-0F06-40C2-A78E-D121C7488FB4}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{DA43DF46-5F63-4D57-9121-5D7E2A7ABCDA}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{DB15F3F5-C983-47F1-9B71-FFAF5F9EAC30}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{DD596791-C284-49A9-BD03-731A7B2A0CFF}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E5E0A8D9-166C-499F-A137-8FF2FCBD82B4}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{E7B5BA1B-8F4E-4386-9C78-3FD0B8B04FC8}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{F7346CBD-9C73-4A16-BF59-AD8171540B4A}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).
C:\WINDOWS\system32\{FE6D0A31-FB2C-40E0-97FF-EC1071808ED9}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).


::Report end


-------------
spy sweeper:



6:48 PM: Removal process completed. Elapsed time 00:00:02
6:48 PM: Quarantining All Traces: trojan-downloader-ruin
6:48 PM: Quarantining All Traces: searchtoolbar
6:48 PM: Removal process initiated
6:39 PM: Traces Found: 8
6:39 PM: Full Sweep has completed. Elapsed time 01:17:32
6:39 PM: File Sweep Complete, Elapsed Time: 01:16:23
5:44 PM: jedi mind tricks - the psycho-social, chemical, biological, and electromagnetic manipulation of human consciousness.m3u (ID = 0)
5:44 PM: Found System Monitor: potentially rootkit-masked files
5:44 PM: Warning: Failed to access drive H:
5:44 PM: Warning: Failed to access drive G:
5:27 PM: dmbxa.exe (ID = 147)
5:26 PM: csbie.exe (ID = 246)
5:22 PM: Starting File Sweep
5:22 PM: Warning: Failed to access drive A:
5:22 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:22 PM: Starting Cookie Sweep
5:22 PM: Registry Sweep Complete, Elapsed Time:00:00:07
5:22 PM: HKU\S-1-5-21-343818398-1659004503-839522115-1003\software\microsoft\internet explorer\toolbar\shellbrowser\ || {08bec6aa-49fc-4379-3587-4b21e286c19e} (ID = 1020297)
5:22 PM: HKU\S-1-5-21-343818398-1659004503-839522115-1003\software\searchtoolbar\ (ID = 141343)
5:22 PM: HKLM\software\microsoft\windows\currentversion\ruins\ (ID = 605128)
5:22 PM: HKLM\software\microsoft\windows\currentversion\urls\ (ID = 605127)
5:22 PM: Found Trojan Horse: trojan-downloader-ruin
5:22 PM: HKLM\software\searchtoolbar\ (ID = 141346)
5:22 PM: Found Adware: searchtoolbar
5:22 PM: Starting Registry Sweep
5:22 PM: Memory Sweep Complete, Elapsed Time: 00:00:51
5:21 PM: Starting Memory Sweep
5:21 PM: Sweep initiated using definitions version 691
5:21 PM: Spy Sweeper 5.0.5.1286 started
5:21 PM: | Start of Session, Thursday, July 27, 2006 |
********
5:21 PM: | End of Session, Thursday, July 27, 2006 |
5:19 PM: Program Version 5.0.5.1286 Using Spyware Definitions 691
5:19 PM: Spy Sweeper 5.0.5.1286 started
5:19 PM: | Start of Session, Thursday, July 27, 2006 |
********





----------------------





Logfile of HijackThis v1.99.1
Scan saved at 6:53:30 PM, on 7/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Elliott\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dmuxb.exe] C:\WINDOWS\system32\dmuxb.exe
O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [STYLEXP] "C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F91695C-126F-4129-B4F5-D4AA77F3045D}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B15CD15-1B9F-4DC3-BC51-0ECF9DD29292}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A5FA5F-2244-4D70-ABFD-7F8951A0E7A7}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\..\{F451812D-B508-4348-9880-FCA22A69D7B9}: NameServer = 85.255.114.11,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



This post has been edited by darksource: Jul 27 2006, 08:09 PM
Go to the top of the page
 
+Quote Post
Flrman1
post Jul 28 2006, 11:19 PM
Post #3


Malware Assassin
Group Icon
Posts: 6,596
OS: XP Home, XP Pro, Vista



Hi darksource

Welcome to GTG! smile.gif

** First you need to download the following tools and have them ready to run. Do not run any of them until instructed to do so:


* Click here to download Fixwareout.exe and save it to your desktop.


* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


** Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.
  • Open Spysweeper and click on the "Options" button on the left.
  • Click on the "Program Options" tab and uncheck "Load at windows startup".
  • On the left click on the "Shields" button.
  • Click the "Internet Explorer" tab and then uncheck everything there.
  • Click on the "Startup Programs" tab and uncheck "Startup Shield"
  • Click on the "Browser Add-ons" tab and uncheck "Browser Helper Object (BHO) Shield"
  • Exit Spysweeper.
  • Leave them disabled until we are finished here.
  • Important! Make sure you remember to re-enable these options when we are finished.


* Run Fixwareout:
  • Doubleclick on the Fixwareout.exe file to run it.
  • Click Next, then Install, then make sure "Run fixit" is checked and click Finish.
  • The fix will begin. Follow the prompts.
  • You will be asked to reboot your computer, please do so.
  • Your system may take longer than usual to load, this is normal.
  • When your system reboots, a text file will open called report.txt.
  • Close the report.txt file. It has been saved already.
  • Open Hijack This and click on the "Do a System Scan Only" button.
  • In Hijack This, put a check by the following entries:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    O4 - HKLM\..\Run: [dmuxb.exe] C:\WINDOWS\system32\dmuxb.exe

    O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe

    O17 - HKLM\System\CCS\Services\Tcpip\..\{0F91695C-126F-4129-B4F5-D4AA77F3045D}: NameServer = 85.255.114.11,85.255.112.234

    O17 - HKLM\System\CCS\Services\Tcpip\..\{3B15CD15-1B9F-4DC3-BC51-0ECF9DD29292}: NameServer = 85.255.114.11,85.255.112.234

    O17 - HKLM\System\CCS\Services\Tcpip\..\{E6A5FA5F-2244-4D70-ABFD-7F8951A0E7A7}: NameServer = 85.255.114.11,85.255.112.234

    O17 - HKLM\System\CCS\Services\Tcpip\..\{F451812D-B508-4348-9880-FCA22A69D7B9}: NameServer = 85.255.114.11,85.255.112.234

    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234

    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.11 85.255.112.234

  • After checking each of those entries in Hijack This, click the "Fix Checked" button then exit Hijack This.


* Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .

CAUTION!: It is possible that your Internet Service Provider requires specific settings here. Make sure you know if you need specific DNS settings here or not before you proceed to make the following changes or you may lose your internet connection. If you are sure you do not need a specific DNS address here, you may proceed.
  • Double-click the Network Connections icon
  • Right-click the Local Area Connection icon and select Properties.
  • Hilight Internet Protocol (TCP/IP) and click the Properties button.
  • Be sure Obtain DNS server address automatically is selected.
  • OK your way out.


* Go to Start > Run and type in cmd
  • Click OK.
  • This will open a command prompt.
  • Type or copy and paste the following line in the command window:

    ipconfig /flushdns

  • Hit Enter
  • Exit the command window



* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\system32\dmuxb.exe

    C:\WINDOWS\system32\mdjbf.exe

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.


* Go to Control Panel > Internet Options.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.


* Restart back into Windows normally now.


* Run Kaspersky online virus scan here.

When given the option, choose the "Extended database" for the scan.

When the scan is finished, Save the results from the scan!


* Go to your C drive and find the fixwareout folder. Open the Report.txt file. Copy and paste the contents of Report.txt here along with a new HiJackThis log and the results from Kaspersky scan

* Also open Hijack This and click on the "Open the Misc Tools section" button. Click on the "Open Uninstall Manager" button. Click the "Save List" button. Copy and paste that list here.
Go to the top of the page
 
+Quote Post
darksource
post Jul 29 2006, 01:33 AM
Post #4


New Member
*
Posts: 7
OS: xp
hello, thank you for the response.

When doing the kaspersky scan, I didn't know what area to scan, so I just selected the first option. here is that log (followed by the fixwareout, new HJT log, and the uninstaller 'Save List'):

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 29, 2006 12:10:42 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 209760
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\Elliott\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 11143
Number of viruses found: 0
Number of infected objects: 0 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:06:17

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5597.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



---------------------



Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmuxb.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Other suspects
Directory of C:\WINDOWS\system32
{A7C7A12F-1277-4DE4-940B-B984BE53F1F7}.exe
{AAAC354C-A10F-4CFC-96CF-3569A7B4C0F1}.exe
{107202BF-9C9C-4140-AF27-BE6CAC1B227E}.exe
{C7A23916-1816-4267-9931-632AB8806C61}.exe

-------------------


Logfile of HijackThis v1.99.1
Scan saved at 12:31:01 AM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Elliott\Desktop\antivirus\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common

Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems

Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware

4.0\guard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program

Files\Webroot\Spy Sweeper\SpySweeper.exe


---------------



Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Stock Photos 1.0
ASUS WLAN Card Utilities/Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HYDRAVISION
AVG Free Edition
BitTornado 0.3.7
CleanUp!
Collectorz.com MP3 Collector
Cool Edit Pro 2.0
dBpowerAMP AAC Codec
dBpowerAMP FLAC Codec
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
DVD Decrypter (Remove Only)
DVD Shrink 3.2
ewido anti-spyware 4.0
HijackThis 1.99.1
iScrobbler
iTunes
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
Marvell Miniport Driver
MaxMSP 4.5.7
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 2.0
MixMeister Express 6 Demo
Mozilla Firefox (1.5.0.5)
Native Instruments Traktor DJ Studio v2.6.1.022
Nero 7 Demo
Neuros Synchronization Manager
OpenOffice.org 2.0
QuickTime
Realtek AC'97 Audio
Sony ACID 4.0f
SoulSeek Client 156c
Spy Sweeper
Steam
StyleXP (remove only)
Tag&Rename 3.1.6
Trillian
Update for Windows XP (KB898461)
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
WinRAR archiver



thanks....
Go to the top of the page
 
+Quote Post
darksource
post Jul 29 2006, 01:56 AM
Post #5


New Member
*
Posts: 7
OS: xp
also, just to add, the weird thing on my desktop has now just greyed out the desktop area and becomes 'highlighted' whenever I move the cursor over the desktop. when I clicked the desktop and went to 'view source' and properties, I got this:


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY bgColor=#000000>
<DIV
style="BACKGROUND: url(file:///C:/Documents%20and%20Settings/Elliott/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp) no-repeat 50% 50%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 0px; HEIGHT: 1024px"></DIV><IFRAME
id=0
style="BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1280px; POSITION: absolute; TOP: 1px; HEIGHT: 968px"
name=DeskMovrW marginWidth=0 marginHeight=0
src="file:///C:/WINDOWS/desktop.html" frameBorder=0 scrolling=no
subscribed_url="C:\WINDOWS\desktop.html" resizeable="粶鉘檼"> </IFRAME>
<OBJECT id=ActiveDesktopMover
style="LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>
<OBJECT id=ActiveDesktopMoverW
style="Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 1282px; POSITION: absolute; TOP: 0px; HEIGHT: 970px; container: positioned"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>&nbsp;
</BODY></HTML>



dunno if that helps with anything, but i figure it couldn't hurt to add.
Go to the top of the page
 
+Quote Post
Flrman1
post Jul 29 2006, 10:27 AM
Post #6


Malware Assassin
Group Icon
Posts: 6,596
OS: XP Home, XP Pro, Vista



* Click here to download smitRem.exe.
  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
  • If the link to SmitRem above is not working try this one.
* Click here to download ATF Cleaner by Atribune and save it to your desktop.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Go to Add/Remove programs and uninstall these:

J2SE Runtime Environment 5.0 Update 6
Viewpoint Media Player


* Run Hijack This again and put a check by this entry. Close ALL windows except HijackThis and click "Fix checked"

O4 - HKLM\..\Run: [mdjbf.exe] C:\WINDOWS\system32\mdjbf.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

    C:\WINDOWS\desktop.html

    C:\WINDOWS\system32\mdjbf.exe

    C:\WINDOWS\system32\{A7C7A12F-1277-4DE4-940B-B984BE53F1F7}.exe

    C:\WINDOWS\system32\{AAAC354C-A10F-4CFC-96CF-3569A7B4C0F1}.exe

    C:\WINDOWS\system32\{107202BF-9C9C-4140-AF27-BE6CAC1B227E}.exe

    C:\WINDOWS\system32\{C7A23916-1816-4267-9931-632AB8806C61}.exe

  • Click on the button that has the red circle with the X in the middle after you enter each file.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
  • Killbox may tell you that one or more files do not exist.
  • If that happens, just continue on with all the files. Be sure you don't miss any.
  • Exit the Killbox.
* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run ATF Cleaner:
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
    • If you use Firefox:
      • Click Firefox at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    • If you use Opera:
      • Click Opera at the top and choose: Select All
      • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages". If you see any entry there that is checked, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Now go here and install the latest version of Java.


* Go here and do the BitDefender online virus scan.
  • Click "I Agree" to agree to the EULA.
  • Allow the ActiveX control to install when prompted.
  • Click "Click here to scan" to begin the scan.
  • Please refrain from using the computer until the scan is finished.
  • When the scan is finished, click on "Click here to export the scan results"
  • Save the report to your desktop then come back here and attach it to your next reply along with a new Hijack This log..
Note: You have to use Internet Explorer to do the online scan.

SmitRem creates a log file with the results of it's fix in C:\smitfiles.txt. Go to your C drive and locate the smitfiles.txt file. Copy and paste the contents of the smitfiles.txt file in your next reply here along with a new HiJackThis log and the results from BitDefender scan

This post has been edited by Flrman1: Jul 29 2006, 10:27 AM
Go to the top of the page
 
+Quote Post
Flrman1
post Jul 29 2006, 10:28 AM
Post #7


Malware Assassin
Group Icon
Posts: 6,596
OS: XP Home, XP Pro, Vista



I had to edit my post. Please check it again before you proceed.
Go to the top of the page
 
+Quote Post
darksource
post Jul 29 2006, 02:59 PM
Post #8


New Member
*
Posts: 7
OS: xp
I went back and did another scan with Kaspersky and selected the 'scan my computer' option this time. This is the scan result:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 29, 2006 1:54:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 209772
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 123321
Number of viruses found: 2
Number of infected objects: 10 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:28:32

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Elliott\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\History\History.IE5\MSHist012006072920060730\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Elliott\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Elliott\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Elliott\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst Object is locked skipped
C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019763.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019773.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP157\A0019782.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP159\A0022069.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP160\A0022431.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP162\A0023431.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP163\A0024164.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024785.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024786.exe Infected: Trojan.Win32.DNSChanger.ef skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP164\A0024891.exe Infected: not-a-virus:AdWare.Win32.Raze.a skipped
C:\System Volume Information\_restore{6699B81F-CD88-48DA-BD19-6960CE382B23}\RP165\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atapi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5597.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052269.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052270.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052271.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052272.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052273.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052274.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052275.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052276.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052277.inf Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052278.inf Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052279.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052280.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052281.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052282.cat Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052283.cat Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052284.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052285.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052286.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052287.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052288.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052289.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052290.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052291.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052292.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052293.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052294.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052295.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052296.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052297.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052298.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052299.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052300.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052301.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052302.exe Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052303.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052304.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052305.tsp Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052306.TSP Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052307.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052308.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052309.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052310.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052311.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052312.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE750-CF41-4B29-B33B-B4361706C0A3}\RP271\A0052313.dll Object is locked skipped
E:\System Volume Information\_restore{1D2DE7