Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan Horse PSW OnlineGames and Generic5 [Resolved]


  • This topic is locked This topic is locked

#16
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Refer to the bottom post.

Edited by benchia, 09 January 2008 - 11:05 AM.

  • 0

Advertisements


#17
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
hello, i done what you said. But i think my comp is still infected.

Here is the HijackThis log,

Logfile of HijackThis v1.99.1
Scan saved at 8:38:29 PM, on 1/9/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\WebCam\M1000\M1000Mnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\System32\notepad.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 25
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [hxgame-update] C:\Program Files\hxupdate\hxgame-update.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [M1000Mnt] M1000Rmv.exe /StartStillMnt
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra button: ?′??? - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu...s/acuviewer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)


Here is the Superantispyware log,

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/09/2008 at 06:58 PM

Application Version : 3.9.1008

Core Rules Database Version : 3377
Trace Rules Database Version: 1371

Scan type : Complete Scan
Total Scan Time : 01:19:52

Memory items scanned : 159
Memory threats detected : 0
Registry items scanned : 5295
Registry threats detected : 0
File items scanned : 45920
File threats detected : 0


and last but not least the OJMoveit log,

C:\WINDOWS\system32\regsvr32.tlg moved successfully.
File/Folder C:\WINDOWS\RegSrv64D.exE not found.
File/Folder C:\WINDOWS\NAVMon32.exE not found.
File/Folder C:\auto.exe not found.
C:\WINDOWS\system32\REGKEY.hiv moved successfully.
File/Folder C:\Windows\M1000Rmv.exe not found.
File/Folder C:\Windows\system32\M1000Rmv.exe not found.
File/Folder C:\WINDOWS\system32\svshost.exe not found.

Created on 01/09/2008 17:23:14


After all this, i run AVG and i got 5 threats which are:

upxdnd.exe.vir
32583CEE.EXE.vir
LYMANGR.DLL.vir
MSDEG32.DLL.vir
upxdnd.dll.vir
  • 0

#18
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Those are quarantined files from Combofix nothing to worry about.

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by kahdah, 09 January 2008 - 07:37 PM.

  • 0

#19
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I done the scan and heres the results.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, January 11, 2008 6:34:50 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/01/2008
Kaspersky Anti-Virus database records: 506636
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45336
Number of viruses found: 6
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 00:53:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\~ROMFN_000002A4 Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0000001.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0000002.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0000006.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0000007.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0001003.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0001005.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0001006.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0001010.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0001011.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002007.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002009.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002011.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002013.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002014.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002018.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002019.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002020.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0002021.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003007.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003009.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003011.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003012.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003014.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003015.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003016.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003020.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003021.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003028.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003029.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003030.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003031.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003032.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003033.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003034.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003035.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003036.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003037.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003038.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003039.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003040.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003041.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003042.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003043.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003044.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003045.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003046.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003047.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003048.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003049.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003050.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003051.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003052.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003053.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003054.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003055.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003056.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003057.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003058.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003059.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003060.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003061.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003062.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003063.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003064.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003065.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003066.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003067.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003068.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003069.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003070.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003071.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003072.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003073.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003074.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003075.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003076.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003077.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003078.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003079.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003080.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003081.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003082.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003083.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003084.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003085.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003086.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003087.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003088.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003089.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003090.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003091.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003092.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003093.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003094.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003095.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003096.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003097.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003098.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003099.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003100.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003101.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003102.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003103.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003104.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003105.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003106.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003107.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003108.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003109.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003110.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003111.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003112.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003113.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003114.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003115.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003116.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003117.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003118.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003119.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003120.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003121.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003122.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003123.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003124.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003130.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003131.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003134.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003136.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003137.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003138.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003173.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003174.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003175.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003176.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003177.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003178.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003179.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003180.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003181.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003182.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003183.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003194.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003195.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003196.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003198.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003199.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003206.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003211.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003212.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003213.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003221.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003225.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003226.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003228.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003231.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003232.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003247.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003248.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003249.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003250.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003251.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003252.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003253.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003254.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003255.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003256.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003257.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0003258.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003260.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003261.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003262.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003263.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003264.exe Infected: Trojan-PSW.Win32.OnLineGames.ngx skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003265.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003266.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003267.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003268.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003269.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003270.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003271.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003272.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003273.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003274.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003275.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003276.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003277.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003278.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003279.exe Infected: Trojan-PSW.Win32.OnLineGames.ngx skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003280.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003281.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003282.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003283.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003284.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003285.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003286.exe Infected: Trojan-PSW.Win32.OnLineGames.hfr skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003287.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003288.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003289.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003290.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003291.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003292.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003293.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003294.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003295.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003296.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003297.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003298.exE Infected: Trojan-PSW.Win32.OnLineGames.ngx skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003299.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003300.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003301.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003302.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003303.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003304.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003305.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003315.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003316.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003317.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003318.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003319.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003320.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003321.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003325.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003326.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003367.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003368.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003369.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003370.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003372.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003373.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP2\A0003380.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003387.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003388.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003389.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003390.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003391.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003392.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003393.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003394.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003395.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003396.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003397.exe Infected: Trojan-PSW.Win32.OnLineGames.ngx skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003398.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003399.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003400.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003401.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003402.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003403.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003404.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003405.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003406.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003905.EXE Infected: Trojan-PSW.Win32.OnLineGames.nif skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003906.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003907.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003908.exE Infected: Trojan-PSW.Win32.OnLineGames.ngx skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003909.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003910.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003911.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003912.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003913.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003914.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003915.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003916.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003917.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003918.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003919.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003920.EXE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003921.DLL Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003922.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003923.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003924.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003925.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003926.dll Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003927.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003928.exe Infected: Trojan-PSW.Win32.OnLineGames.ngp skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003929.exe Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003930.inf Infected: Virus.Win32.AutoRun.mg skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003973.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003974.exE Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP3\A0003977.exe Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5853.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

6 virus found and 20 files infected.
  • 0

#20
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
I see that you have BitComet installed.
Having P2p programs such as these raise the possibility of getting infected again.
See here for information on P2P's.
I will leave it up to you if you want to remove it.
To remove it just simply uninstall it then delete this folder>C:\Program Files\BitComet
=============================================================
After that please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [M1000Mnt] M1000Rmv.exe /StartStillMnt
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm


Now click on Fix Checked and then close Hijackthis.
======================================
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\i

  • Return to OTMoveIt2, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=======================================
Please post back with the OTMove it log and a new Hijackthis log.
  • 0

#21
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I done what you asked of me.

Here is the OJMoveit log.

C:\WINDOWS\system32\i moved successfully.

Created on 01/12/2008 03:18:58


Anything else i have to do? Thanks
  • 0

#22
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please post back with a new Hijackthis log.
  • 0

#23
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Logfile of HijackThis v1.99.1
Scan saved at 4:01:32 AM, on 1/12/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\conime.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\WebCam\M1000\M1000Mnt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\User\Desktop\HijackThis.exe

O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe
O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [DpUtil] C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
O4 - HKLM\..\Run: [TFNF5] TFNF5.exe
O4 - HKLM\..\Run: [TFncKy] TFncKy.exe /Type 25
O4 - HKLM\..\Run: [TMESRV.EXE] C:\Program Files\TOSHIBA\TME3\TMESRV31.EXE /Logon
O4 - HKLM\..\Run: [TMERzCtl.EXE] C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE /Service
O4 - HKLM\..\Run: [TMEEJME.EXE] C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
O4 - HKLM\..\Run: [TMESBS.EXE] C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE /Client
O4 - HKLM\..\Run: [TosHKCW.exe] "C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe"
O4 - HKLM\..\Run: [NDSTray.exe] "C:\Program Files\Toshiba\ConfigFree\NDSTray.exe"
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [hxgame-update] C:\Program Files\hxupdate\hxgame-update.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: 腾讯QQ.lnk = C:\Program Files\Tencent\QQ\QQ.exe
O4 - Global Startup: Exif Launcher 2.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O9 - Extra button: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O9 - Extra 'Tools' menuitem: ???ˉ??5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder Network\Thunder\Thunder.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} (AcuViewer Control) - http://presentur.ntu...s/acuviewer.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Tmesbs32 (Tmesbs) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe" /Service (file missing)
O23 - Service: Tmesrv3 (Tmesrv) - Unknown owner - C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe" /Service (file missing)
  • 0

#24
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
As a final check I would like you to download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.


Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlog...processutil.htm
  • 0

#25
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
SmitFraudFix v2.274

Scan done at 14:11:02.63, 01/12/2008 Sat
Run from C:\Documents and Settings\User\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

换换换换换换换换换换换换 Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TOSHIBA\TME3\Tmesbs32.exe
C:\Program Files\TOSHIBA\TME3\Tmesrv31.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\00THotkey.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\TOSHIBA\DualPointUtility\TEDTray.exe
C:\WINDOWS\System32\TFNF5.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\Program Files\TOSHIBA\TME3\TMERzCtl.EXE
C:\Program Files\TOSHIBA\TME3\TMEEJME.EXE
C:\Program Files\TOSHIBA\TME3\TMESBS32.EXE
C:\Program Files\TOSHIBA\Wireless Hotkey\TosHKCW.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\WINDOWS\System32\TPWRTRAY.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\cmd.exe

换换换换换换换换换换换换 hosts


换换换换换换换换换换换换 C:\


换换换换换换换换换换换换 C:\WINDOWS


换换换换换换换换换换换换 C:\WINDOWS\system


换换换换换换换换换换换换 C:\WINDOWS\Web


换换换换换换换换换换换换 C:\WINDOWS\system32


换换换换换换换换换换换换 C:\Documents and Settings\User


换换换换换换换换换换换换 C:\Documents and Settings\User\Application Data


换换换换换换换换换换换换 Start Menu


换换换换换换换换换换换换


换换换换换换换换换换换换 Desktop


换换换换换换换换换换换换 C:\Program Files


换换换换换换换换换换换换 Corrupted keys


换换换换换换换换换换换换 Desktop Components



换换换换换换换换换换换换 IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


换换换换换换换换换换换换 Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


换换换换换换换换换换换换 AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


换换换换换换换换换换换换 Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


换换换换换换换换换换换换 Rustock



换换换换换换换换换换换换 DNS

Description: Intel® PRO/Wireless LAN 2100 3B Mini PCI Adapter - Packet Scheduler Miniport
DNS Server Search Order: 221.228.255.1
DNS Server Search Order: 218.2.135.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{71A34F9D-E76B-4C4D-A687-EF410CDCA3B2}: DhcpNameServer=221.228.255.1 218.2.135.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{71A34F9D-E76B-4C4D-A687-EF410CDCA3B2}: DhcpNameServer=221.228.255.1 218.2.135.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{71A34F9D-E76B-4C4D-A687-EF410CDCA3B2}: DhcpNameServer=221.228.255.1 218.2.135.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=221.228.255.1 218.2.135.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=221.228.255.1 218.2.135.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=221.228.255.1 218.2.135.1


换换换换换换换换换换换换 Scanning for wininet.dll infection


换换换换换换换换换换换换 End
  • 0

Advertisements


#26
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
    Posted Image

Please then delete all other tools if any that I had you download.
Empty your recycle bin.
================
After that Your log is clean. :)

I see that you are only running service pack 1 To help keep this from happening again please download service pack 2.
You can do so by doing all of the updates from Microsoft. Or by going Here and doing it.

This will help from being infected as bad next time.


To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein ->Here
  • 0

#27
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Thank you so much!!!

I will download service pack 2 as soon as possible. By the way, can i ask if the Kaspersky Online Scan still shows i'm still infected. Will that be a problem?

I also found my computer runs slightly slower now then compared to before. Is that a problem as well?
  • 0

#28
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
What Kaspersky scan showed as infected was a Lot of system Restore points and they were cleaned when you uninstalled Combofix.
The only other malware was killed By the OTMove it tool.
That also went when you uninstalled Combofix.

These are optional fixes but will help the starup time with the computer.
Fix these below with Hijackthis:

O4 - HKLM\..\Run: [Drag'n Drop CD+DVD] C:\Program Files\Drag'n Drop CD+DVD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [hxgame-update] C:\Program Files\hxupdate\hxgame-update.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe


then click on Fix checked and then close Hijackthis.

That should help with the speed.


Also uninstall SUPerantispyware.

Edited by kahdah, 12 January 2008 - 09:50 AM.

  • 0

#29
benchia

benchia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 13, 2008 1:25:54 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/01/2008
Kaspersky Anti-Virus database records: 508826
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 42045
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:39:03

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\A0000018.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C328C1F7-1079-4ED0-A60D-E8B74999C52A}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5853.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Sorry, can i ask if there is still a virus in my system?
  • 0

#30
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
That is because you deleted Smitfraudfix all you have to do is delete your system restore points again.
It is not a virus. :)

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP