Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

seriall.com keygen.exe wizp32[1].exe srvnrd[1].exe [RESOLVED]

Started by Paul W. , Jun 16 2006 12:02 AM

This topic is locked

#1
Paul W.

Posted 16 June 2006 - 12:02 AM

Member

Member
82 posts

* TABLE OF CONTENTS:

PREFACE
OBJECTIVE
HISTORY
POSTED LOGS

* PREFACE:

I want to thank all of the users and volunteers of the GeekToGo forums. This forum is the most professional and efficient and helpful forum that I have ever found. I remembered reading in one of the forum posts about toggling the "word wrap" before posting, but since I didn't know if the user posted with or without "word wrap" I don't know whether the "word wrap" should be selected or not. I've selected "word wrap" on the text editor before pasting into the post. Please let me know. Thank you!

* OBJECTIVE:

To have a system that is completely free of any and all malware (virus, spy, etc.). Also, to have a system that is not running absolutely any unnecessary programs (reminders, updates, etc.). I just want a barebones system (analogy: engine and carborator only--no smog devices or electronics).

* HISTORY:

June 12, 2006 - 3:00PM--3:53PM PDT: Origin of malware infection

Connection: 56K dialup
Browser: Firefox 1.5.0.4
Website visited: <link removed>
Searched on: hdclone
Downloaded: keygen.exe
Executed locally from Desktop: keygen.exe
McAfee detected & failed to quarentine/clean:
Files: wizp32[1].exe ; srvnrd[1].exe
Trojan Name: StartPage-EX
Filepath: C:Documents and Settings\SPOCIBA\Local Settings\Temporary Internet Files\Content.IE5\EXOZUP61
McAfee Virus Scan:
File: C:\Program Files\Cowabanga\Cowabanga.exe was infected by the Downloader-EV Trojan and has been deleted to complete the clean process.

June 13, 2006: Copied (possibly infected data) from C: to USB external HDD and burned DVD's

June 14, 2006 - 2:00AM--6:15PM: Attempts to remove all malware

Executed following programs in order (Logs saved):
CleanUp-4.51 (log[1])
Ad-AwareSE
CWShredder (log[3])
Ad-AwareSE
SpyBot
SpyBot-DSO Fix 131tx
Ewido (log[5])
TrojanHunter (log[6])
Windows Express Updates (All-7.9MB) - update.microsoft.com (3:32PM)
HiJackThis (log[7])
Ad-AwareSE (log[2])
SpyBot-DSO Fix 131tx (log[4])

Registered as New User (Paul W.): GeeksToGo.com

June 15, 2006: Updated malware removal programs above and scanned with logs

June 15, 2006 11:01PM: Posted this message to the GeeksToGo Malware forum

* POSTED LOGS: [1]CleanUp 4.51; [2]Ad-AwareSE; [3]CWShredder; [4]SpyBot-DSO; [5]Ewido; [6]TrojanHunter; [7]HiJackThis

---
(log [1])

CleanUp! started on 06/14/06 02:41:02.
...
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT109.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT10A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT10B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT10C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT10D.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT11F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT120.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT121.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT122.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT123.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT124.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT177.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT178.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT179.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17B.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT17F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT180.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT181.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1AF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1B7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1E3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1EA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1EB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1EC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1ED.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1EE.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1EF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F0.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT1F5.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT20.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT204.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT205.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT206.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT207.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT208.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT209.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT21.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT22.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT229.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT22A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT22B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT22E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT22F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT23.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT230.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT231.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT232.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT233.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT234.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT235.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT236.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT238.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT239.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT23A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT23D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT23E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT23F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT24.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT240.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT241.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT25.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT26.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT266.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT267.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT268.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT269.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT26A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT26B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT26C.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT27.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT270.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT271.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT272.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT273.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT274.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT275.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT276.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT277.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT28.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT288.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT289.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT28A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT28B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT28C.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT29.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2B4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2B5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2B6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2C8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2DE.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2DF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2E0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2E1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2E2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2E3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT2F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT30.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT31.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT32.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT33.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT34.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT35.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT36.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT37.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT38.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT39.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT3F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT40.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT41.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT42.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT42.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT43.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT44.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT45.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT46.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT47.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT48.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT49.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT4F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT50.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT51.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT52.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT53.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT55.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT56.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT57.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT58.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT59.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT5F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT60.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT64.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT65.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT66.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT6B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT6C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT6D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT6E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT6F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT70.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT71.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT72.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT73.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT74.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT75.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT76.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT77.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT79.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT7A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT7B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT7C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT7D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT7E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT8B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT8C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT8D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT8F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT90.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT91.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT92.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT93.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT94.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT95.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT96.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT97.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT98.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT99.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9A.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9B.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9C.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9D.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9E.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMT9F.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTA9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAD.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAE.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTAF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTB9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBD.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBE.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTBF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTC0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTC1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTC7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTC8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTC9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCD.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCE.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTCF.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD3.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD3.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD4.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD5.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTD9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTDA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTDB.dtd - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTDB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTDC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTE0.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTE1.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTE2.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTE9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTEA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTEB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTEC.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTF6.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTF7.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTF8.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTF9.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTFA.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\IMTFB.xml - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\InstHelp.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\MPC280.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\MPC39.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\MPCB.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\netfxsl.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\netfxupdate.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PicaView.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWA9.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWA9.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWAA.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWAA.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB0.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB0.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB1.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB1.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB7.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB7.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB8.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\PXWB8.tmp0 - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\qdiagd.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Set10.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\setA8.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\TWAIN.LOG - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Twain001.Mtx - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\UI_FullInstall.cdas - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\WGANotify.settings - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win10.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win11.tmp.exe - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win12.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win16.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win17.tmp.exe - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win18.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win19.tmp.exe - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win1A.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win25.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win26.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win27.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\win29.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\winE.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\winF.tmp.exe - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\WireControl_fileList.cdas - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\WireControl_install.cdas - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\_iu14D2N.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\_NDP_OCM_PreInstall.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\_NDP_OCM_SetRegNI.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\_NDP_OCM_ToGAC.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\~DF1591.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\~DF6F16.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\~DFAA0A.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\~DFD1D7.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\~DFE482.tmp - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\js3250.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\nspr4.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\plc4.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\plds4.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\xpcom_compat.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\xpcom_core.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\components\jar50.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\components\xpinstal.dll - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\components\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\bin\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\xpcom.ns\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\ff_temp\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Temporary Directory 1 for CD--partlogic-0.62-iso.zip\partlogic-0.62.iso - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Temporary Directory 1 for CD--partlogic-0.62-iso.zip\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Temporary Directory 2 for hdclone.3.1.11.fe.en.zip\hdclone.pdf - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\Temporary Directory 2 for hdclone.3.1.11.fe.en.zip\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\usmt\migload.exe - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\usmt\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\{5E810147-04CC-4AF8-BC07-94FDC7C10BF2}\{C5074CC4-0E26-4716-A307-960272A90040}\setup.log - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\{5E810147-04CC-4AF8-BC07-94FDC7C10BF2}\{C5074CC4-0E26-4716-A307-960272A90040}\ - deleted
C:\DOCUME~1\SPOCIBA\LOCALS~1\Temp\{5E810147-04CC-4AF8-BC07-94FDC7C10BF2}\ - deleted
C:\WINDOWS\temp\netfxsl.log - deleted
C:\WINDOWS\temp\netfxupdate.log - deleted
C:\WINDOWS\temp\T30DebugLogFile.txt - deleted
C:\WINDOWS\temp\WGAErrLog.txt - deleted
C:\WINDOWS\temp\WGANotify.settings - deleted
C:\WINDOWS\temp\ZLT02200.TMP - deleted
C:\WINDOWS\temp\ZLT05b26.TMP - deleted
C:\WINDOWS\temp\ZLT0673a.TMP currently in use. Will be deleted when Windows is restarted.
C:\WINDOWS\temp\Cookies\index.dat - deleted
C:\WINDOWS\temp\Cookies\spociba@mcafee[2].txt - deleted
C:\WINDOWS\temp\Cookies\ - deleted
C:\WINDOWS\temp\History\History.IE5\index.dat - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\index.dat - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\CBKB0J4N\mcscins[1].cfg - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\GJSPET0B\mcltvers[1].ini - deleted
C:\WINDOWS\temp\Temporary Internet Files\Content.IE5\ONA103C9\valert[1].ui - deleted
C:\Documents and Settings\SPOCIBA\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\SPOCIBA\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\SPOCIBA\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\SPOCIBA\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\SPOCIBA\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\NetworkService\Cookies\index.dat - deleted
C:\Documents and Settings\NetworkService\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\locals~1\tempor~1\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Cookies\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat currently in use. Will be deleted when Windows is restarted.
C:\Documents and Settings\Default User\Cookies\index.dat - deleted
C:\Documents and Settings\Default User\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\Default User\locals~1\tempor~1\Content.IE5\ - deleted
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\ - deleted
C:\Documents and Settings\Administrator\Cookies\index.dat - deleted
C:\Documents and Settings\Administrator\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\Administrator\locals~1\tempor~1\Content.IE5\ - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\ - deleted
C:\WINDOWS\Prefetch\4783XDAT.EXE-21E8E1E5.pf - deleted
C:\WINDOWS\Prefetch\AD-AWARE.EXE-1853B83A.pf - deleted
C:\WINDOWS\Prefetch\AGENT.EXE-00ED4190.pf - deleted
C:\WINDOWS\Prefetch\ALG.EXE-275708CF.pf - deleted
C:\WINDOWS\Prefetch\BRIGHTNESS.EXE-238597DB.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP.EXE-0ACAE2A3.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP.EXE-1671E52D.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP40.EXE-35480E52.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP451.EXE-06E949FC.pf - deleted
C:\WINDOWS\Prefetch\CONTROL.EXE-24FBF8B3.pf - deleted
C:\WINDOWS\Prefetch\CWSHREDDER.EXE-17DCB811.pf - deleted
C:\WINDOWS\Prefetch\DLLHOST.EXE-474D72E6.pf - deleted
C:\WINDOWS\Prefetch\EHMSAS.EXE-1E4CE886.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-06188867.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-2A1B96AB.pf - deleted
C:\WINDOWS\Prefetch\HH.EXE-104606B2.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-006A4957.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-3767DCC2.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf - deleted
C:\WINDOWS\Prefetch\IGFXEXT.EXE-05A27A3D.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-312BE1BF.pf - deleted
C:\WINDOWS\Prefetch\MCDASH.EXE-3B144A45.pf - deleted
C:\WINDOWS\Prefetch\MCINFO.EXE-31F69FA8.pf - deleted
C:\WINDOWS\Prefetch\MCMNHDLR.EXE-3A2C08A8.pf - deleted
C:\WINDOWS\Prefetch\MCREGWIZ.EXE-2DD9AD94.pf - deleted
C:\WINDOWS\Prefetch\MCUPDATE.EXE-32479339.pf - deleted
C:\WINDOWS\Prefetch\MCUPDMGR.EXE-2ED551F3.pf - deleted
C:\WINDOWS\Prefetch\MCVSMAP.EXE-0BFC9404.pf - deleted
C:\WINDOWS\Prefetch\MGHTML.EXE-2AF65433.pf - deleted
C:\WINDOWS\Prefetch\MPFWIZARD.EXE-30362FCE.pf - deleted
C:\WINDOWS\Prefetch\MSCONFIG.EXE-1EF1EA0F.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\OASCLNT.EXE-31E5E0AA.pf - deleted
C:\WINDOWS\Prefetch\RASAUTOU.EXE-10B4F92F.pf - deleted
C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3C500167.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-3E69A3B5.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-419F288A.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-41FB74E5.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-461CD9C7.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4CADDF4B.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4CAF3F5C.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-50D80EB3.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-5645E36A.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-5F185185.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-64799893.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E0E3853.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf - deleted
C:\WINDOWS\Prefetch\SCRNSAVE.SCR-22431769.pf - deleted
C:\WINDOWS\Prefetch\SNDVOL32.EXE-0EC6FD20.pf - deleted
C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1702AD5F.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-2D5FBD18.pf - deleted
C:\WINDOWS\Prefetch\TEXTPAD.EXE-01688BEC.pf - deleted
C:\WINDOWS\Prefetch\TFSWCMD.EXE-1FE63CFF.pf - deleted
C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf - deleted
C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf - deleted
C:\WINDOWS\Prefetch\WINHLP32.EXE-16D564B3.pf - deleted
C:\WINDOWS\Prefetch\WINVER.EXE-1BB739F8.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF80A.pf - deleted
C:\WINDOWS\Prefetch\WSCNTFY.EXE-0B14C27D.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf - deleted
Emptied Recycle Bin on drive C:
Emptied Recycle Bin on drive F:
'Run MRU' list - removed from the registry.
Search Assistant MRU list - removed from the registry.
Explorer Open/Save MRU list - removed from the registry.
Explorer Last Visited MRU list - removed from the registry.
Paint Recent File List - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
CleanUp! 4.5.1 recovered 941.8 MB of disk space from 1240 files.
CleanUp! finished on 06/14/06 02:41:14.:
---

---
(log[2])

<Ad-Aware log removed>

Edited by Maiestas, 16 June 2006 - 01:46 PM.

#2
Maiestas

Posted 16 June 2006 - 01:44 PM

eh...

Retired Staff
1,481 posts

Welcome to Geeks to Go,

Too much unnecessary information. :whistling:

I removed your adware log and the website link.

* Click here to download HJTsetup.exe

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

#3
Paul W.

Posted 16 June 2006 - 03:58 PM

Member

Topic Starter
Member
82 posts

Sorry about too much information. But I thought it would be helpful. I have McAfee and it randomly detects different viruses that are not quarentined nor are they cleaned. I think this may have a direct correlation to the original infection that I first posted.

By the way, my first post was not even complete. The complete message would not post, even though it did not exceed the character limit. There must be some other reason the complete message wasn't posted.

I dowloaded the HiJackThisSetup file as directed, and without disconnecting from the internet and without restarting computer, I ran in Normal Mode and saved the log for HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 2:32:39 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{318A9743-841B-49E4-B10A-C2647E1DE8BD}: NameServer = 198.147.225.10 65.106.1.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#4
Maiestas

Posted 16 June 2006 - 04:12 PM

eh...

Retired Staff
1,481 posts

Your log really doesn't show anything. Do you still have Ewido's log saved? If so, please post the results of the scan in your next reply.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

#5
Paul W.

Posted 16 June 2006 - 04:42 PM

Member

Topic Starter
Member
82 posts

In my HiJackThis log, what can I fix (remove) which is not necessary for a barebones system?

Please forgive me for my ignorance regarding privacy issues from online scans. Could you please address my privacy when using such scans?

While using online virus scans such as Panda, Kaspersky, Virusscan.jotti, etc., exactly what information from my computer do they collect, copy, process, and save? In other words, is it POSSIBLE for them (even though they may CHOOSE NOT) to read, view, save, share, or copy photos, music, text documents, or absolutely any other information and files that reside on my computer?

I'll wait for a reply regarding Panda before running that scan.

I have a Trojan Hunter log if you want to see that.

THANK YOU VERY MUCH!

Lastest ewido scan log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:03:36 PM, 6/15/2006
+ Report-Checksum: D2B24E54

+ Scan result:

No infected objects found.

::Report End

#6
Maiestas

Posted 16 June 2006 - 05:41 PM

eh...

Retired Staff
1,481 posts

Panda’s Active Scan doesn’t really collect or copy anything from your computer. It scans the system for any infected items, lists them and reports them, that is it.

If you're concerned about running these online scans we can just skip them, if you like. The only reason I asked you to run the scan was just to make sure that nothing was left behind. Since your hijackthis log is basically clean.

We here at GeeksToGo never try to compromise our users’ safety or privacy. All the tools, scans, and products that we have our users run are thoroughly checked and tested by Experts, before using them in fixes.

Nonetheless, the choice is ultimately yours. If you are still hesitant, you have the right to not run any scans or tools that we request. We can skip them and can move on to the possible optional removals from your log.

#7
Paul W.

Posted 16 June 2006 - 06:59 PM

Member

Topic Starter
Member
82 posts

Thank you. I wanted to say that I am convinced of GeeksToGo's good faith and sensativity to user's privacy. I just want to let others know that it is my own world of paranoia, and I hope it does not affect others at all in their search to rid their system of malware.

I would like to re-ask this question though:

Is it POSSIBLE for online scans, such as Panda, Kaspersky and Virusscan.jotti, (even though they may CHOOSE NOT) to read, view, save, share, OR copy photos, music, text documents, or absolutely any other information and files that reside on my computer? If so, what is POSSIBLE for them to read, view, collect, save, copy or otherwise forward on to others from the scan?

Thank you again for your understanding and your time to help me.

#8
Kat

Posted 17 June 2006 - 08:25 AM

Retired

Retired Staff
19,711 posts

They don't copy or share anything at all. The ONLY thing that will even be picked up, cleaned, and/or reported are INFECTED FILES. They don't "read" or save your banking info, or anything of the sort.

#9
Paul W.

Posted 18 June 2006 - 01:24 AM

Member

Topic Starter
Member
82 posts

Thank you both for helping me to understand the operations of online scans.

I also have the original EWIDO and TROJAN HUNTER logs that show infections before I started this post, if that will provide a more complete history of this case. Also, I have saved the two trojan .tmp files that were found in the Kaspersky scan. If you want me to upload those darn files for analysis, I can do that. Those files also have the same date/time as the moment of initial infection. Since those files were just present but not active, I wonder how many more files of the initial infection are just waiting for the right conditions to become active and trigger FDISK, FORMAT, or other unwanted operation or command. Should I wipe the disk and start over with a fresh Windows XP installation from the Setup CD's?

THANK YOU SO MUCH!

Here are the current PANDA and KAPERSKY scan reports:

-------------------------------------------------------------------------------
PANDA ACTIVE SCAN:

Incident Status Location

Adware:adware/securityerror Not disinfected C:\..Favorites\Antivirus Test Online.url

Spyware:Cookie/Tribalfusion Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.tribalfusion.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.atdmt.com/]

Spyware:Cookie/QuestionMarket Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.questionmarket.com/]

Adware:Adware/SecurityError Not disinfected C:\..Desktop\hp100.tmp

Adware:Adware/SecurityError Not disinfected C:\..Desktop\ld100.tmp

Potentially unwanted tool
Application/Processor Not disinfected C:\..SmitRem\smitRem.exe[smitRem/Process.exe]
-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, June 17, 2006 4:39:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 18/06/2006
Kaspersky Anti-Virus database records: 189095
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 74525
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 00:42:15

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\hp100.tmp Infected: Trojan-Downloader.Win32.Zlob.sm skipped
C:\WINDOWS\system32\ld100.tmp Infected: Trojan-Downloader.Win32.Zlob.sd skipped

Scan process completed.

#10
Maiestas

Posted 18 June 2006 - 12:54 PM

eh...

Retired Staff
1,481 posts

Did you remove the pathway to the files, here, in red? -- I need to see everything untouched when you paste me the logs. Please re-post the log with the full pathway to the files.

Adware:adware/securityerror Not disinfected C:\..Favorites\Antivirus Test Online.url
Spyware:Cookie/Tribalfusion Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.atdmt.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\..Firefox\Profiles\94ijd2dy.default
\cookies.txt[.questionmarket.com/]
Adware:Adware/SecurityError Not disinfected C:\..Desktop\hp100.tmp
Adware:Adware/SecurityError Not disinfected C:\..Desktop\ld100.tmp

===============================

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm

Edited by Maiestas, 18 June 2006 - 12:55 PM.

#11
Paul W.

Posted 19 June 2006 - 12:05 AM

Member

Topic Starter
Member
82 posts

I apologize for removing the pathway partially. I did it to clean it up, so that it would be easier for you to read it, and not wrap around. From now on I'll leave the reports/logs untouched.

Would it hurt if I delete the "process" file? I really don't need it, do I?

Or, should I download and install the "process" freeware utility version 2.03, from the website link you included in the previous post?

I've moved things around since the last scan post, and have posted a new Panda scan which is below, along with the SmitFraudFix log.

THANK YOU VERY MUCH FOR YOUR CONSIDERATION AND PATIENCE!

-------------------------------
PANDA ACTIVE SCAN:

Incident Status Location

Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\hp100.tmp
Adware:Adware/SecurityError Not disinfected C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\ld100.tmp
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\SmitRem\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\SmitRem_Duplicate\smitRem.exe[smitRem/Process.exe]
Adware:adware/securityerror Not disinfected C:\Documents and Settings\SPOCIBA\Favorites\Antivirus Test Online.url
-------------------------------

-------------------------------
SMITFRAUDFIX:

SmitFraudFix v2.62

Scan done at 22:55:27.60, Sun 06/18/2006
Run from C:\Documents and Settings\SPOCIBA\Desktop\SmitfraudFix\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\SPOCIBA\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\SPOCIBA\FAVORI~1

C:\DOCUME~1\SPOCIBA\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End
-------------------------------

#12
Maiestas

Posted 19 June 2006 - 12:36 PM

eh...

Retired Staff
1,481 posts

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Delete these files:

C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\hp100.tmp
C:\Documents and Settings\SPOCIBA\Desktop\InfectedFiles\ld100.tmp

Next,

Still in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Edited by Maiestas, 19 June 2006 - 12:38 PM.

#13
Paul W.

Posted 19 June 2006 - 09:21 PM

Member

Topic Starter
Member
82 posts

I deleted the two .tmp files. I ran smitfraudfix.cmd when I rebooted in normal mode, the SpyBot window asked me to allow or deny 3 changes in registry related to "Browser Page". I allowed the change without remembering the decision. Can I allow this registry change to be permanent?

THANK YOU!

_____________________
SMITFRAUDFIX LOG:

SmitFraudFix v2.62

Scan done at 19:55:34.18, Mon 06/19/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

_____________________

#14
Maiestas

Posted 19 June 2006 - 09:42 PM

eh...

Retired Staff
1,481 posts

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

Now close all windows and browsers other than HiJackThis, then click Fix Checked.
Close hijackthis.

Next,

Please click on the Start Menu and select Control Panel. A window should open. Now click on Add/Remove Programs.
Please Remove the following (if present):

Java 2 Runtime Environment, SE v1.4.2_03
J2SE Runtime Environment 5.0 Update 3

After you have done so, please go here: http://java.com/en/download/index.jsp and install the most recent version of Java.

Reboot and post a new hijackthis log.

#15
Paul W.

Posted 20 June 2006 - 01:30 PM

Member

Topic Starter
Member
82 posts

HIJACKTHIS LOG (RAN IN NORMAL MODE, NOT SAFE MODE BOOTUP):

Logfile of HijackThis v1.99.1
Scan saved at 12:09:25 PM, on 6/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gmail.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\npjpi150_07.dll
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} -
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE