Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

explorer.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
caylis

caylis

    New Member

  • Member
  • Pip
  • 7 posts
I was told to repost this here.

So a couple of days ago my desktop and taskbar dissappeared and after looking around on the internet I found out it was explorer.exe. I've been using the task manager to start explorer.exe ever since and now the desktop and taskbar flash on and off. I can't really do much because the only restore point is right when the flashes occured and it is a borrowed laptop so I don't have the windows xp cd. I really need this laptop to do work and even typing out this paragraph is really difficult.
Please help.


Here is my HijackThis Log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:24 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\command.exe
c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
c:\Program Files\CA\eTrust Antivirus\InoRT.exe
c:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\timeserv.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\CA\ETRUST~1\realmon .exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\WINDOWS\system32\NWTRAY .EXE
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\?dobe\w?auboot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\ASEMBL~1\javaw.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\ASEMBL~1\javaw.exe
C:\PROGRA~1\ASEMBL~1\javaw.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideto.toronto.ca
F3 - REG:win.ini: load=C:\WINDOWS\system32\iiiih.exe
O4 - HKLM\..\Run: [Realtime Monitor] c:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideto.toronto.ca
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE1281D-8A39-49F8-8009-F4575839E73D}: Domain = toronto.ca
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\command.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 5428 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "C:\WINDOWS\system32\iiiih.exe"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • C:\WINDOWS\system32\iiiih.exe

  • Click Open.
  • Click Post.
Thank you!



Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
caylis

caylis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The desktop seems to be working now. Here are the logs for combofix and hijackthis:


ComboFix 08-01-23.1C - admin 2008-01-25 15:23:09.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.176 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\admin\Application Data\SpyGuardPro
C:\Documents and Settings\admin\Application Data\SpyGuardPro\Logs\threats.log
C:\Documents and Settings\admin\Application Data\SpyGuardPro\Logs\update.log
C:\Documents and Settings\admin\Local Settings\Temp\winvsnet .exe
C:\Documents and Settings\admin\Local Settings\Temp\winvsnet.exe
C:\Documents and Settings\admin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\admin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\admin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
c:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\asembl~1
C:\Program Files\asembl~1\a?sembly\
C:\Program Files\asembl~1\javaw .exe
C:\Program Files\asembl~1\javaw.exe
C:\Program Files\BGInfo\bginfo .exe
C:\Program Files\BGInfo\bginfo.exe
C:\Program Files\CA\eTrust Antivirus\realmon .exe
C:\Program Files\CA\eTrust Antivirus\realmon.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Dot1XCfg\Dot1XCfg .exe
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\Program Files\Internet Explorer\laduxan.dll
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\NetMeeting\horef4444.dll
C:\Program Files\NetMeeting\horef83122.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\SpyGuardPro
C:\Program Files\SpyGuardPro\history.db
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\Utilities\BMMLREF .EXE
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
C:\Program Files\ThinkPad\Utilities\EzEjMnAp .Exe
C:\Program Files\ThinkPad\Utilities\EzEjMnAp.Exe
C:\SxpInst\sxpstub .exe
C:\SxpInst\sxpstub.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\b122.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~1\w?auboot.exe
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\\asappsrv.dll
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\\command.exe
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\\kZ5Xym1St21ovaLSvBlS.vbs
C:\WINDOWS\Q2l0eSBvZiBUb3JvbnRv\command.exe
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\dpmw32 .exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\efcdeee.dll
C:\WINDOWS\system32\hiiii.ini
C:\WINDOWS\system32\hiiii.ini2
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\ICO .EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\iiiih.dll
C:\WINDOWS\system32\iiiih.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkjhf.dll
C:\WINDOWS\system32\NWTRAY .EXE
C:\WINDOWS\system32\NWTRAY.EXE
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX39.tmp
C:\WINDOWS\system32\RCX56.tmp
C:\WINDOWS\system32\RCX68.tmp
C:\WINDOWS\system32\RCXC.tmp
C:\WINDOWS\system32\RCXD.tmp
C:\WINDOWS\system32\rqrrqrs.dll
C:\WINDOWS\system32\tp4ex .exe
C:\WINDOWS\system32\tp4ex.exe
C:\WINDOWS\system32\TpShocks .exe
C:\WINDOWS\system32\TpShocks.exe
C:\WINDOWS\system32\xwrdjhlg.dll
C:\WINDOWS\Temp\RecoverFromReboot .exe
C:\WINDOWS\Temp\RecoverFromReboot.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\UTLite33 .exe
C:\WINDOWS\UTLite33.exe

<pre>
C:\Documents and Settings\admin\Local Settings\Temp\winvsnet .exe ---> QooBox
C:\Program Files\BGInfo\bginfo .exe ---> QooBox
C:\Program Files\CA\eTrust Antivirus\realmon .exe ---> QooBox
C:\Program Files\Dot1XCfg\Dot1XCfg .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe ---> QooBox
C:\Program Files\Synaptics\SynTP\SynTPEnh .exe ---> QooBox
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR .exe ---> QooBox
C:\Program Files\ThinkPad\Utilities\BMMLREF .EXE ---> QooBox
C:\Program Files\ThinkPad\Utilities\EzEjMnAp .Exe ---> QooBox
C:\SxpInst\sxpstub .exe ---> QooBox
C:\WINDOWS\UTLite33 .exe ---> QooBox
C:\WINDOWS\system32\dpmw32 .exe ---> QooBox
C:\WINDOWS\system32\hkcmd .exe ---> QooBox
C:\WINDOWS\system32\ICO .EXE ---> QooBox
C:\WINDOWS\system32\igfxtray .exe ---> QooBox
C:\WINDOWS\system32\NWTRAY .EXE ---> QooBox
C:\WINDOWS\system32\tp4ex .exe ---> QooBox
C:\WINDOWS\system32\TpShocks .exe ---> QooBox
C:\WINDOWS\Temp\RecoverFromReboot .exe ---> QooBox
</pre>
.
----- BITS: Possible infected sites -----

hxxp://javadl.sun.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 15:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:11 . 2008-01-24 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 13:24 . 2008-01-22 13:33 <DIR> d-------- C:\Program Files\RegCure
2008-01-21 19:03 . 2008-01-25 15:36 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 19:03 . 2008-01-21 19:03 36,864 --a------ C:\WINDOWS\17PHolmes572.exe
2008-01-21 19:00 . 2008-01-21 19:00 <DIR> d-------- C:\WINDOWS\system32\vx2
2008-01-21 19:00 . 2008-01-21 19:00 <DIR> d-------- C:\WINDOWS\system32\sa3
2008-01-21 19:00 . 2008-01-21 19:00 <DIR> d-------- C:\TEMP\gTiis19
2008-01-21 19:00 . 2008-01-22 12:49 376,320 --a------ C:\WINDOWS\mrofinu572.exe.tmp
2008-01-21 18:59 . 2008-01-21 18:59 <DIR> d-------- C:\WINDOWS\system32\nGpxx01
2008-01-21 18:59 . 2008-01-21 18:59 <DIR> d-------- C:\TEMP\cXzz9
2008-01-21 18:54 . 2008-01-21 18:54 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 02:50 . 2008-01-20 02:50 <DIR> d-------- C:\Program Files\GALA-NET
2008-01-15 01:06 . 2008-01-15 01:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-15 01:03 . 2008-01-15 01:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-15 01:03 . 2008-01-15 01:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-15 01:02 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-15 00:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-14 22:42 . 2002-09-30 08:00 87,552 --a------ C:\WINDOWS\system32\CNMLM49.DLL
2008-01-14 22:42 . 2002-07-29 20:59 73,728 --a------ C:\WINDOWS\system32\CNMCP49.exe
2008-01-14 22:42 . 2002-07-29 20:59 73,728 --a------ C:\WINDOWS\system32\cnm1B.tmp
2008-01-14 22:42 . 2002-09-30 08:00 5,632 --a------ C:\WINDOWS\system32\CNMVS49.DLL
2008-01-14 22:40 . 2008-01-14 22:41 <DIR> d-------- C:\TEMP\i550_XP_v162
2008-01-14 22:40 . 2008-01-14 22:41 <DIR> d-------- C:\TEMP\Canon_i550_XP_v162
2008-01-13 19:52 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-13 19:52 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-01-13 19:50 . 2008-01-13 19:50 <DIR> d-------- C:\Program Files\Common Files\snpp106
2008-01-13 19:50 . 1998-06-11 23:15 307,200 --a------ C:\WINDOWS\vidcap32.exe
2008-01-13 18:47 . 2008-01-13 18:49 <DIR> d-------- C:\VP-EYE
2008-01-13 18:47 . 2008-01-13 18:49 33,625 --a------ C:\WINDOWS\unvpeye.ini
2008-01-13 18:41 . 2008-01-13 18:41 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-13 18:33 . 2008-01-25 15:36 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-13 17:52 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-13 17:52 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-13 11:47 . 2007-07-12 16:38 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-01-13 11:46 . 2008-01-13 11:46 <DIR> d-------- C:\Program Files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 20:36 --------- d-----w C:\Program Files\BGInfo
2008-01-20 07:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-20 07:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-16 22:59 --------- d-----w C:\Program Files\Java
.
<pre>
----a-w		   110,592 2008-01-22 04:53:24  C:\Program Files\Synaptics\SynTP\SynTPLpr .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="c:\PROGRA~1\CA\ETRUST~1\realmon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-25 14:59 132496]
"SDJobCheck"="triggusr.exe" []
"NWTRAY"="NWTRAY.EXE" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoThumbNailCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoThumbNailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 19:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BGInfo]
c:\program files\bginfo\bginfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
--a------ 2004-08-25 00:37 110592 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2004-08-25 00:37 395776 C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COT_Networking Tool]
C:\Windows\UTLite33.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
C:\Program Files\Dot1XCfg\Dot1XCfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
C:\WINDOWS\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New Computer]
%windir%\system32\newcomp.vbe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nlae]
C:\PROGRA~1\ASEMBL~1\javaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu572.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDJobCheck]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sxplog]
C:\SxpInst\sxpstub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zgtycggn]
C:\WINDOWS\?dobe\w?auboot.exe

R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-14 13:08]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 11:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-08-25 00:37]
R2 TimeServ;Time Service;C:\WINDOWS\system32\timeserv.exe [2004-04-28 02:54]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\pelps2m.sys [2003-01-20 21:28]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 12:25]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2002-11-25 17:30]

*Newly Created Service* - WUAUSERV
.
Contents of the 'Scheduled Tasks' folder
"2005-05-21 10:22:48 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2005-03-02 14:28:24 C:\WINDOWS\Tasks\defrag.job"
- C:\WINDOWS\system32\defrag.exe
"2008-01-25 20:56:33 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-01-22 18:24:42 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 15:56:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-01-25 15:57:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 20:57:19

________________________________________________________________________________
_____
________________________________________________________________________________
_____


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:59:00 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
c:\Program Files\CA\eTrust Antivirus\InoRT.exe
c:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\timeserv.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideto.toronto.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Realtime Monitor] c:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'NETWORK SERVICE')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideto.toronto.ca
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE1281D-8A39-49F8-8009-F4575839E73D}: Domain = toronto.ca
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 4663 bytes


Thanks for the help.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\17PHolmes572.exe
C:\PROGRA~1\ASEMBL~1\javaw.exe
C:\WINDOWS\mrofinu572.exe

Folder::
C:\Program Files\Dot1XCfg
C:\WINDOWS\system32\vx2
C:\WINDOWS\system32\sa3
C:\TEMP\gTiis19
C:\WINDOWS\system32\nGpxx01
C:\TEMP\cXzz9
C:\WINDOWS\?dobe

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dot1XCfg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New Computer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nlae]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zgtycggn]

RenV::
----a-w 110,592 2008-01-22 04:53:24 C:\Program Files\Synaptics\SynTP\SynTPLpr .exe


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
  • 0

#5
caylis

caylis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
So I did what you said, is there anything else I have to do?
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes

Post me the ComboFix log
  • 0

#7
caylis

caylis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
ComboFix 08-01-23.1C - Admin 2008-01-26 23:34:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.259 [GMT -5:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-26 01:58 . 2008-01-26 01:58 <DIR> d---s---- C:\Program Files\Xfire
2008-01-26 01:51 . 2005-08-11 15:29 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl
2008-01-25 16:33 . 2008-01-25 16:33 <DIR> d-------- C:\Program Files\LimeWire
2008-01-25 15:19 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 23:11 . 2008-01-24 23:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-21 18:54 . 2008-01-21 18:54 <DIR> d-------- C:\WINDOWS\Sun
2008-01-20 02:50 . 2008-01-20 02:50 <DIR> d-------- C:\Program Files\GALA-NET
2008-01-15 01:06 . 2008-01-15 01:06 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-15 01:03 . 2008-01-15 01:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-01-15 01:03 . 2008-01-15 01:04 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-15 01:02 . 2006-09-25 17:58 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-01-15 00:22 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-14 22:42 . 2002-09-30 08:00 87,552 --a------ C:\WINDOWS\system32\CNMLM49.DLL
2008-01-14 22:42 . 2002-07-29 20:59 73,728 --a------ C:\WINDOWS\system32\CNMCP49.exe
2008-01-14 22:42 . 2002-07-29 20:59 73,728 --a------ C:\WINDOWS\system32\cnm1B.tmp
2008-01-14 22:42 . 2002-09-30 08:00 5,632 --a------ C:\WINDOWS\system32\CNMVS49.DLL
2008-01-14 22:40 . 2008-01-14 22:41 <DIR> d-------- C:\TEMP\i550_XP_v162
2008-01-14 22:40 . 2008-01-14 22:41 <DIR> d-------- C:\TEMP\Canon_i550_XP_v162
2008-01-13 19:52 . 2004-08-03 22:58 5,504 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-13 19:52 . 2004-08-03 22:58 5,504 --a--c--- C:\WINDOWS\system32\dllcache\mstee.sys
2008-01-13 19:50 . 2008-01-13 19:50 <DIR> d-------- C:\Program Files\Common Files\snpp106
2008-01-13 19:50 . 1998-06-11 23:15 307,200 --a------ C:\WINDOWS\vidcap32.exe
2008-01-13 18:47 . 2008-01-13 18:49 <DIR> d-------- C:\VP-EYE
2008-01-13 18:47 . 2008-01-13 18:49 33,625 --a------ C:\WINDOWS\unvpeye.ini
2008-01-13 18:41 . 2008-01-13 18:41 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-01-13 18:33 . 2008-01-25 16:05 <DIR> d-------- C:\Program Files\MSN Messenger
2008-01-13 17:52 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-01-13 17:52 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-01-13 11:47 . 2007-07-12 16:38 6,345 -ra------ C:\WINDOWS\system32\DevMngr.vxd
2008-01-13 11:46 . 2008-01-13 11:46 <DIR> d-------- C:\Program Files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 06:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-25 20:36 --------- d-----w C:\Program Files\BGInfo
2008-01-20 07:50 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-16 22:59 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((( [email protected]_15.57.07.66 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 20:20:47 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 02:01:04 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 20:20:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 02:01:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 20:20:48 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
+ 2008-01-26 02:01:05 233,472 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat
- 2008-01-25 20:20:49 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 02:01:05 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 20:20:49 1,794,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-26 02:01:05 1,794,048 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-25 20:20:49 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 02:01:05 151,552 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-13 23:41:43 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
+ 2008-01-25 21:05:18 29,926 ----a-r C:\WINDOWS\Installer\{571700F0-DB9D-4B3A-B03D-35A14BB5939F}\MsblIco.Exe
- 2008-01-25 20:45:41 52,164 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-25 20:57:50 52,164 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-01-25 20:45:41 375,862 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-25 20:57:50 375,862 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Realtime Monitor"="c:\PROGRA~1\CA\ETRUST~1\realmon.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-25 14:59 132496]
"SDJobCheck"="triggusr.exe" []
"NWTRAY"="NWTRAY.EXE" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoThumbNailCache"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogoff"= 1 (0x1)
"Intellimenus"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoInstrumentation"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoThumbNailCache"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]
tphklock.dll 2004-08-12 19:11 24576 C:\WINDOWS\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BGInfo]
c:\program files\bginfo\bginfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMGAG]
--a------ 2004-08-25 00:37 110592 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMLREF]
C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMMMONWND]
--a------ 2004-08-25 00:37 395776 C:\PROGRA~1\ThinkPad\UTILIT~1\BatInfEx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\COT_Networking Tool]
C:\Windows\UTLite33.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZEJMNAP]
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mouse Suite 98 Daemon]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
C:\WINDOWS\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWTRAY]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecoverFromReboot]
C:\WINDOWS\Temp\RecoverFromReboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDJobCheck]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sxplog]
C:\SxpInst\sxpstub.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2008-01-21 23:53 110592 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TP4EX]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPHOTKEY]
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TpShocks]


R0 Shockprf;Shockprf;C:\WINDOWS\system32\drivers\Shockprf.sys [2004-05-14 13:08]
R1 ShockMgr;ShockMgr;C:\WINDOWS\system32\drivers\ShockMgr.sys [2004-05-14 11:59]
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys [2004-08-25 00:37]
R2 TimeServ;Time Service;C:\WINDOWS\system32\timeserv.exe [2004-04-28 02:54]
S3 pelmouse;Mouse Suite Driver;C:\WINDOWS\system32\DRIVERS\pelmouse.sys [2003-01-10 12:55]
S3 pelps2m;PS/2 Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\pelps2m.sys [2003-01-20 21:28]
S3 pelusblf;USB Mouse Low Filter Driver;C:\WINDOWS\system32\DRIVERS\pelusblf.sys [2003-02-11 12:25]
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys [2002-11-25 17:30]

.
Contents of the 'Scheduled Tasks' folder
"2005-05-21 10:22:48 C:\WINDOWS\Tasks\BMMTask.job"
- C:\PROGRA~1\ThinkPad\UTILIT~1\BMMTASK.EXE
"2005-03-02 14:28:24 C:\WINDOWS\Tasks\defrag.job"
- C:\WINDOWS\system32\defrag.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 23:48:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tphklock.dll
.
Completion time: 2008-01-26 23:49:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 04:49:25
ComboFix2.txt 2008-01-26 02:05:44
ComboFix3.txt 2008-01-25 20:57:28
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
  • Under "Configuration and Preferences", click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.


Also post a new HijackThis log
  • 0

#9
caylis

caylis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/28/2008 at 01:15 AM

Application Version : 3.9.1008

Core Rules Database Version : 3389
Trace Rules Database Version: 1383

Scan type : Complete Scan
Total Scan Time : 00:36:49

Memory items scanned : 458
Memory threats detected : 0
Registry items scanned : 5239
Registry threats detected : 0
File items scanned : 32362
File threats detected : 448

Adware.Tracking Cookie
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][3].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][1].txt
C:\Documents and Settings\admin\Local Settings\Temp\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt
C:\Documents and Settings\LocalService\Cookies\[email protected][1].txt

Adware.k8l
C:\PROGRAM FILES\INTERNET EXPLORER\PROMYMYHD.HTML

Malware.LocusSoftware Inc/BestSellerAntivirus
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\TEMP\WINVSNET .EXE.VIR

Trojan.Vundo/Variant-Installer/A
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\ADMIN\LOCAL SETTINGS\TEMP\WINVSNET.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\BGINFO\BGINFO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\CA\ETRUST ANTIVIRUS\REALMON.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\JAVA\JRE1.6.0_03\BIN\JUSCHED.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\SYNAPTICS\SYNTP\SYNTPENH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\THINKPAD\UTILITIES\EZEJMNAP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\SXPINST\SXPSTUB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DPMW32.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HKCMD.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ICO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IGFXTRAY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NWTRAY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TP4EX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TPSHOCKS.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TEMP\RECOVERFROMREBOOT.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010807.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010808.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010809.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010811.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010812.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010813.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010814.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010816.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010818.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010819.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010820.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010879.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010887.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010889.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010892.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010895.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010897.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010898.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010899.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010901.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010905.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010906.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010921.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010925.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010930.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010933.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010937.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010938.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010939.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010941.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010943.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010945.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010947.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010948.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010958.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010966.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010970.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010972.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010976.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010977.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010979.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010980.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010983.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010985.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010986.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011002.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011015.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011022.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011023.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011028.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011030.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011033.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012001.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012005.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012006.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012007.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012009.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012010.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012011.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012012.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012016.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012017.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012022.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012023.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012024.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012026.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012028.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012029.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012030.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012031.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012032.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012033.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012034.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012037.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012065.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012066.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012067.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012068.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012090.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012091.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012092.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012094.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012095.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012096.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012097.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012099.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012101.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012102.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012103.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012106.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012110.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012119.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012121.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012123.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012125.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012188.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012195.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012196.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012200.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012201.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012204.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012206.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012209.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012210.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012211.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012355.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012365.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012366.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012367.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012369.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012370.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012371.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012373.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012375.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012376.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012377.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012383.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012384.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012385.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012386.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP27\A0012450.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012451.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012452.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012469.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012471.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012473.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012477.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012485.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012490.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012491.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012492.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012500.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012504.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012505.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012508.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012524.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012546.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012547.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012549.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012550.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012551.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012554.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012555.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012556.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012557.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012558.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012559.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012560.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012561.EXE

Adware.ClickSpring
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ASEMBL~1\JAVAW .EXE.VIR
C:\QooBox\Quarantine\C\WINDOWS\DOBE~1\WAUBOO~1.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XWRDJHLG.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010912.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010994.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011039.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012042.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012218.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012381.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012479.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012494.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012510.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012511.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012519.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012568.EXE

Trojan.Vundo/Variant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ASEMBL~1\JAVAW.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\DOT1XCFG\DOT1XCFG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\THINKPAD\PKGMGR\HOTKEY\TPHKMGR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\THINKPAD\UTILITIES\BMMLREF.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IIIIH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RCX39.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RCX56.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RCX68.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RCXC.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RCXD.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UTLITE33.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010805.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010806.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010810.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010815.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010817.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010823.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010884.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010885.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010893.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010900.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010904.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010908.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010923.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010924.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010935.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010942.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010944.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010950.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010960.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010962.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010974.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010982.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010984.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010988.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011005.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011014.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011025.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011029.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012003.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012004.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012008.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012013.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012015.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012019.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012021.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012025.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012027.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012035.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012036.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012088.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012089.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012093.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012098.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012100.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012104.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012112.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012113.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012117.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012122.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012124.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012190.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012192.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012199.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012205.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012208.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012225.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012361.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012362.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012368.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012372.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012374.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012378.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012453.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012478.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012493.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP28\A0012509.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012523.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012548.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012552.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012553.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012562.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012563.EXE

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINADMIN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Trojan.Downloader-WinPop/SD
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\DOT1XCFG\DOT1XCFG .EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010911.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011038.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012043.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012219.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012382.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012531.EXE

Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\INTERNET EXPLORER\LADUXAN.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012520.DLL

Unclassified.Unknown Origin
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETMEETING\HOREF4444.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETMEETING\HOREF83122.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\Q2L0ESBVZIBUB3JVBNRV\COMMAND.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012521.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012522.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012528.EXE

Trojan.NetMon/DNSChange
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012564.EXE

Trojan.Downloader-Gen/MROFIN
C:\QOOBOX\QUARANTINE\C\WINDOWS\17PHOLMES572.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU1000106.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP23\A0010782.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP23\A0010796.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010907.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010987.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0011034.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0012018.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012045.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012063.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012064.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP25\A0012072.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012127.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012224.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012387.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012517.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP31\A0012664.EXE

Malware.LocusSoftware Inc-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\DOWNLOADED PROGRAM FILES\UGA6P_0001_N122M2210NETINSTALLER.EXE.VIR

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\Q2L0ESBVZIBUB3JVBNRV\ASAPPSRV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VX2\SOFTIDNDLL3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012571.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP31\A0012663.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\Q2L0ESBVZIBUB3JVBNRV\KZ5XYM1ST21OVALSVBLS.VBS.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SA3\RENAMD83122.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012516.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012572.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012574.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP31\A0012662.EXE

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EFCDEEE.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NNNKJHF.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012525.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012526.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012579.DLL

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012573.EXE

Rogue.StorageProtector/Trace
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010831.EXE

Rogue.LocusSoftware/Component
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010856.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010862.DLL

Rogue.NoWayVirus-PTask
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP24\A0010861.EXE

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP26\A0012346.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9DD8723F-08A7-4EED-B572-20406E757287}\RP29\A0012578.DLL



________________________________________________________________________________
_________________________________________________________________________________
_______



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:36 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
c:\Program Files\CA\eTrust Antivirus\InoRT.exe
c:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\timeserv.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\CA\Unicenter Software Delivery\BIN\TRIGGAG.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\CA\Unicenter Software Delivery\BIN\sdjexec.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://insideto.toronto.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Realtime Monitor] c:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [UserPref] REGEDIT.exe /s c:\windows\system32\userpref.reg (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://insideto.toronto.ca
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebo...toUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9CE1281D-8A39-49F8-8009-F4575839E73D}: Domain = toronto.ca
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ACU Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - c:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Unicenter Software Delivery (SDService) - Computer Associates International, Inc. - C:\Program Files\CA\Unicenter Software Delivery\BIN\SDSERV.EXE
O23 - Service: IBM HDD APS Logging Service (TPHDEXLGSVC) - IBM Corporation - C:\WINDOWS\System32\TPHDEXLG.EXE

--
End of file - 4986 bytes
  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

You can delete the tools that we used


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#11
caylis

caylis

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you so much for all your help.
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP