Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

I need help in removing spyware.[RESOLVED]


  • This topic is locked This topic is locked

#1
yuliayu

yuliayu

    Member

  • Member
  • PipPip
  • 10 posts
Hi,
I very need help in removing the spyware from my home computer.
I tried Adaware, SpyBot and Microsoft AntiSpyWare. But inspite of this, every time I run scan in adaware I get a list of spywares. :tazz:
I will appreciate for you help.

My hijackThis log is below:

Logfile of HijackThis v1.99.1
Scan saved at 13:07:36, on 07/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/162/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: Microsoft WFC Forms Designer - file://C:\PROGRA~1\MICROS~2\VJ98\WFCFORMS.CAB
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://tlvportal2.a...w,/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://tlvportal.am.../RemoveCtrl.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

Thanks in advance.
  • 0

Advertisements


#2
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
please download RKFiles from here:
http://skads.org/special/rkfiles.zip
Unzip it to the desktop but please do NOT run it yet.

Next, please reboot your computer in safe mode and run RKFiles.bat. It may take a while. When it is finished a windows should appear with a log.

Restart your computer in normal mode, and please post the contents of the logfile, which should be at c:\log.txt.

Regards,
  • 0

#3
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here is the log after the RKFiles.bat:


C:\Documents and Settings\Ylia\Desktop

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye
  • 0

#4
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Can you do a Find Files for param32.dll ?

Let me know if and where you find it.

Regards,
  • 0

#5
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Hi Pieter,

I will be able to do it today in the evening. After that I will post the results of search.

Thanks for your help,
Yulia.
  • 0

#6
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
OK. No problem. :tazz:
  • 0

#7
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
HI Pieter,

Search can't find the param32.dll in my computer.

Yulia.
  • 0

#8
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It will take awhile so please be patient ...
3. Then post the results here please, along with the new HijackThis log.

Regards,
  • 0

#9
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
Here they are:

Find-it's log:
Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Sun 05/08/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Todo Files found


aurora Files found


Suspect's
Dont delete file's in the section without guidance
If any doubt back them up first


lagitamate file's can/will show in this section.

Buddy file's

SAHAgent Files found

Misc checks


Checking Windir\svcproc.exe and nail.exe.

Checking for System32\DrPMon.dll.

Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 083D-11F6

Directory of C:\WINDOWS\SYSTEM32

Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 083D-11F6

Directory of C:\WINDOWS\system32


.

HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 22:03:33, on 08/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/162/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: Microsoft WFC Forms Designer - file://C:\PROGRA~1\MICROS~2\VJ98\WFCFORMS.CAB
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://tlvportal.am...w,/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://tlvportal.am.../RemoveCtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

Yulia.
  • 0

#10
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
We'll have to dig deep then.

Please download Agent Ransack from:
http://www.mythicsof...m/agentransack/

Run the program and make sure there are Checkmarks in the Expert User and Containing Text boxes on the Advanced tab.

In the bottom bar type or paste hotoffers

Then click Start Search.

It will take quite a while before it's done.

When it is click "Save results" (icon #4 from the left)
Choose save to clipboard and paste them into your next post.

Regards,

Pieter
  • 0

Advertisements


#11
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I hope this is what you need:


C:\WINDOWS\SYSTEM32\systr.dll (11 KB, 26/03/2005 13:01:18)
2 $PEL !'4B! 7 pXP `l 0T.text `.bss .rdataT0T @.data$ @$ @.idata P `.reloct `t & .edataXpX( @1@L$ A t D$ T$ SVWD$ Pjhd5d%D$ X p t ;t$$t 4v L$ H | uT d _^[USVWUjjh u ]_^[]U SVWU] E @ EE EECs { v| t}VUk E싋4@U 8@B <@VWQ =@@58@=@@=8@Y_^T ]^] t(x4{ S: k VS v C T { v4b1 Uk jS j W ]_^[]USVW} u #Q u u u @_^[ U Wjj Ejj Ejj Eh @u @h @uz @h @uh 0 @= @ t jW = @ t jW _U SVWE É]!< =t E1 ٍAG ;< uՋ}G<}u YE @}u 1v]T1 ٍAG}< =t0u Yu 5 u :S}4= E U < uU _^[UVW} %#jh#jh?jjju u @< uVWj ju 5# 5# _^]U h Hjh t 1@6h Hjj EPEP jjjEP u@ UDE h Hjh $ t 1@h Hjj. GE E̍ EeԃeЃej EE eăeȍEP: j5 jjh h j j hhGhGj^ #1@%EP EP jjjEP u U WhPhG Pj jhGh Q uXj jP Ph jh[Gh u h@ j h@hCGh !i PhGh !hh*Gh4Gh !hh Gh@h[Gh l<PPjh jjjhFh O uDhFPn Pn PWj jhF6 _Uj hoEhEu ] u j jjh#EhjEu @ ]Uj jjhDhjEu # ]UjEP E h YEjjjjhG E jjjjhDP E Ph uu hȍ$PhD jhj jjh@$P Ej P uu u u j $P u u YUQSVWE  t2 = = | j5 ju hh j j h 0PhGhDh !jj j u j jh j u Y jh j u H jh j u 7 j u j u ۃ#S NVj#j j5 !j 鿋E $Dj u jj j u j u u AYjh' j u  [j u  u QYjheRj u Y 5j u Y Kjh$j u 7 u u u u 1_^[ %Q%Q%Q%Q%Q%QP<$ $ 4$ f $,$Y P<$XP<$ $f $%Q%Q%Q%R% R% R% R% R% R% R% R% R%$R%0R%4R%8R%<R%@R%DR%HR%LR%PR%TR%XR%\R%`R%lR%xR%|R%R%R%R%R%R%R%R%R%R%R%R%R%R%swr{12345678-0000-0010-8000-00AAFF6D2EA4}http://www.hotoffers.info/162/ ' M EDIT%SystemRoot%\39.exehttp://644.dapfeed.com/X.exehttp://www.hotoffers.info/162/go.phphttp://antispy.globolook.com/index.php?qq=spyware&id=30777&said=ad0162openError #317 - Microsoft Windows Security WarningYour Windows is corrupted with spyware virus. You must patch your PC urgently to protect your system. Private info is accessed by ports: -8080 -3128 You can patch your PC for free now and delete all spyware viruses. Click OK to choose and download free spyware removal using AntiSPY. Start Pagehttp://www.hotoffers.info/162/Software\Microsoft\Internet Explorer\MainSysctl Desktop HandlerApartmentThreadingModelCLSID\%s\InProcServer32SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskSchedulerSoftware\Microsoft\Windows\CurrentVersion\Explorer\UninstallHP%WINDIR%\System32\systr.dllSystemHandler#5SysHNDL#5SysHNDL#5rPUQPUQPVQ8QHV0RtQVlRQVxRQVRRRRSS,S<SLShSSSSSSSSSSTTT(T<TLT\TpTTTTTTTTUU(U8UHU\UhU|UUUUUUUURRRSS,S<SLShSSSSSSSSSSTTT(T<TLT\TpTTTTTTTTUU(U8UHU\UhU|UUUUUUUUlInternetCloseHandleInternetGetConnectedStateInternetOpenAInternetOpenUrlAInternetReadFileShellExecuteAExitProcessExpandEnvironmentStringsAGetEnvironmentStringsACloseHandle MoveFileExA OpenMutexA1CreateFileARtlUnwind<CreateMutexA WinExec WriteFile lstrcpyA lstrlenASetTimerKillTimerRegisterClassA4 MessageBoxA GetMessageA$TranslateMessage%DispatchMessageA wsprintfA=PostQuitMessageOCreateWindowExAQDestroyWindowRSetWindowPos[DefWindowProcAGetStockObjectg RegDeleteValueAq RegCreateKeyExAt RegCloseKeyy RegOpenKeyExA RegSetValueExA_fdopenO _open_osfhandlefclosefree9_cexitN malloc[ printf` raiseg setbufu strcpyWININET.DLLPPPPPSHELL32.DLLPKERNEL32.DLL(P(P(P(P(P(P(P(P(P(P(P(P(PUSER32.DLL<P<P<P<P<P<P<P<P<P<P<P<P<PGDI32.DLLPPADVAPI32.DLLdPdPdPdPdPCRTDLL.DLLxPxPxPxPxPxPxPxPxPxP 8+00000 1 1 1!1111 2 2 2$2*2?22R3Z33333 4 4-4<4D4M444444 5B5U5|555555555555 676Z6_6w6|66666277 8 8(888999999 : :":.:::F:R:^:j:v:::::::::::: ; ; ;*;6;B;N;Z;f;r;~;;;;;;;;;;;@04444Ph555556 6 6 6 6$6(6,6064686<6@6D6T6X6\6`6d6h6l6p6t6x6|6666666666666666666!'4B(p0p8p@pdll.dll DpPp_LibMain@12load

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Backups\regUsers.reg (1938 KB, 03/05/2005 22:05:16)
20937 "Start Page"="http://www.hotoffers.info/162/"

C:\WINDOWS\All Users\Application Data\Spybot - Search & Destroy\Logs\Resident.log (7 KB, 08/05/2005 20:46:10)
16 04/05/2005 23:26:29 Allowed value "Start Page" (new data: "http://www.hotoffers.info/162/") changed in Browser page!

C:\WINDOWS\repair\software (13892 KB, 02/04/2005 17:37:44)
173 &F"Internet Explorer Classes for JavavkFcrInternet Explorer Classes for Javavk SystemComponentvk (¯InstallerMSICD˯̯8̯ȯDownnk Ș7 0ï Containsnk Ș7 P¯ ïJava ïvk com.ms.ielf ¯Javank Ș7 ïDownloadInformationï(į?$CCvk HïCODEBASEfile://C:\WINDOWS\SYSTEM\iejava.cabvk HįOSD`C:\WINDOWS\Downloaded Program Files\Internet Explorer Classes for Java.osd0ƯƯƯ@ïDownnk Ș7 InstalledVersionvkxů5,0,2614,3500lf P¯Cont@ïDownůInstude cenk Ș7 ˯ į&:Microsoft WFC Forms Designervk:HƯMicrosoft WFC Forms Designervk SystemComponentvk ƯInstallerMSICDӯѯContpүԯԯMicrnk @I Ș7 ůȯ Containsnk @I Ș7 ǯ ǯ2Javaǯȯ8ȯhȯȯvk com.ms.vj.iformsvk com.ms.vj.iforms.designervk com.ms.vj.iforms.hostvk com.ms.vj.iforms.pbrsvk com.ms.vj.iforms.utillf hǯJavank @I Ș7 ů @ɯDownloadInformationPɯɯtensvk \pɯCODEBASEfile://C:\PROGRA~1\MICROS~2\VJ98\WFCFORMS.CABvk ɯOSDpC:\WINDOWS\Downloaded Program Files\Microsoft WFC Forms Designer.osdnk @I Ș7 ů InstalledVersionvk˯1,0,0,8141lf ǯContȯDownInsts@VCCompnk k 7 Я 8¯&<Microsoft XML Parser for Javavk<˯Microsoft XML Parser for Javavk SystemComponentvk `̯InstallerMSICDnk k 7 H˯ͯ Containsϯp̯Contnk k 7 p̯ 0ͯ"JavaHͯpͯͯͯSSAbvk com.ms.xml.dsovk com.ms.xml.omvk com.ms.xml.parservk com.ms.xml.utillf ̯Javank k 7 H˯ hίDownloadInformationxίίvk TίCODEBASEfile://C:\WINDOWS\Java\classes\xmldso.cabvk ϯOSDpC:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd ѯHѯContίDownvkϯ1,0,9,0MSICDpInsthbinЯ@ce.?AVnk k 7 H˯ ̯InstalledVersionlf p̯ContίDown ЯInst.?AVCLisnk p Ș7 ӯ ϯ&&{11120607-1001-1111-1000-110199901123}vk SystemComponentvk ϯInstallerlf DireInteůMicrH˯MicrЯ{111 ԯ{D27.?AVCConnk p Ș7 Я Containsnk p Ș7 Я ƯDownloadInformationvk үCODEBASEHms-its:mhtml:file://C:oo.mht!http://www.hotoffers... p Ș7 Я ƯInstalledVersionvkӯ0,0,0,1lf ѯCont үDown`ӯInst`ce nk @I Ș7 د ǯ&&{D27CDB6E-AE6D-11CF-96B8-444553540000}vk teSystemComponentrvk HӯInstallernk p Ș7 ԯ ContainspׯׯContnk p Ș7 ԯ կDownloadInformationկp֯vk կCODEBASEphttp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabvk `֯INFC:\WINDOWS\Downloaded Program Files\swflash.infЃ@bjavank p Ș7 ԯ 8կ<InstalledVersionvkׯ7,0,14,0vk <ׯLastModifiedFri, 05 Sep 2003 18:36:03 GMTlf ԯContHկDown ׯInstecInfo@@nk 7 h Global Namespacelf 0ApplDist0دGlobcenk ǘ7 0دH x Java Packageservk CookieDnk [ 7 دٯ com'hnk [ 7 @ٯ@W 3 mst$ Flf ٯmsnk @] 7 ٯ XگVactiveXhگگXۯvk LگPathC:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk VگSignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATvk xۯInfo ݯޯޯnk ^ 7 ٯ ۯVappletܯpܯܯvk L ܯPathC:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk VܯSignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATvk ݯInfo 8߯߯߯ۯapplnk @] 7 ٯ ۯ Vawtvk LݯjePathutilHSwin3C:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk V(ޯSignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATvk ޯInfo `P 0beannk @] 7 8ݯ ݯVimagevk LX߯PathC:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk V Signervk ߯Info hbinyC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATx㯨nk @] 7 8ݯ Vpeerhvk LPathC:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk VSignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATvk Info lf ޯimagpeernk PO` 7 ٯ0 Vbeansvk LPathC:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk VSignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATvk Info nk a 7 0 Vt , infos$03 䯀vk L0䯃PathB C:\WINDOWS\JAVA\Packages\JDBFLF9B.ZIPvk V䯃-SignerC:\WINDOWS\JAVA\Packages\Data\ACTZBZ9V.DATr vk Info lf infonk @] 7 ٯ Vcom毘

C:\WINDOWS\repair\default (672 KB, 02/04/2005 17:37:46)
0 P= PCpMRUh= = = = = vk Enablevk Sizevk dInitHitsvk Factorvk P> Cache ' o4 oQ*Ɩ lf < CpMRnk hK7 ( @ DxMainvk NoUpdateCheckvk NoJITSetupvk @? eAnchor UnderlineyesO vk "? \Cache_Update_FrequencyOnce_Per_Sessionevk ? 0Display Inline Imagesnyes8Q nohbin@ > > ? P? ? @ @ (A `A A A B PB B C HC C 0D hD D D 8E E E (F XF F F vk lDo404SearchLvk 8@ RLocal Page10C:\WINDOWS\SYSTEM\blank.htmvk ? aSave_Session_History_On_Exit1Evk A Show_FullURLwano8Q `Q Q vk A tShow_StatusBarsyes8Q vk B Show_ToolBar S yesHR vk @B dShow_URLinStatusBarSoyes\Mvk B Show_URLToolBar8S R yeslevk >B \Start Pagehttp://www.hotoffers.info/162/ia vk 8C Use_DlgBox_ColorsS R S `S yesRuvk xpC uSearch PageGhttp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchevk D Show_ChannelBandno`S T S vk XD FFullScreenlagnolagvk R7 LastCheckedHiS vk ,D sWindow_Placement, vk"(E Error Dlg Displayed On Every Error S noU vk pE aError Dlg Details Pane Openyes`S vk 8E Save Directory C:\My Documents\infocenter\ocvk F Disable Script DebuggernoT vk AddToFavoritesExpanded vk F NotifyDownloadComplete yesInvk F Use FormSuggestno`S vk AutoSearch V V 8W nk @L7 ( L ,phSettingsI Secunk S7 ( (9 $ PageSetup&w&bPage &p of &Pvk H footer&u&b&dvk HH margin_bottom0.750000vk H margin_left0.750000vk H margin_right0.750000vk I margin_top0.750000nk hK7 ( I U SearchUrlW V I vk aprovidernk @L7 ( K J (doSecurity J PJ J vk 8J \Sending_SecurityMediumMainvk xJ dViewing_SecurityLowvk J mSafety Warning Levela Querynk @L7 I K LP3Global(K vk LEnabled L J P3Glnk @L7 I naP3Siteslf J P3GlXK P3Sink @L7 ( HK GServicesvkinplf ) Defa. Desk5 Docu6 Expl8 ExteX: Inte; Intep> Main`G Page I SearI SecuK ServG Sett(N StylN Tool^ Type h URLSL (M hM M M vk M Anchor Color Visitedwa128,0,128vk PM rAnchor Colorrs0,0,255onvk M dBackground Color192,192,192vk M SText Color Di0,0,0vk N nUse Anchor Hover ColorlNo\ nk S7 ( Stylesnk O7 ( ^ N (4 gsToolbarN (O pO vk O tLinksFolderNameLinksb a vk XO oShowDiscussionButtonVeYes^ (_ _ vk 4 P dTheaternk O7 N O 4 icExplorerXR Z Z 0\ hbinP L" Ȩ, ("Zvk 4 R sITBarLayoutle L0\ b& nk O7 N U L4 ShellBrowser(U W W vk 4 PU ITBarLayout L0\ b& vk& W {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h 0X {0E5CBF21-D15F-11D0-8301-00AA005B4383}!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1:tazz:|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-H = C:\WINDOWS\Favorites\Links uwww^ T Shelnk O7 N O L4 icWebBrowserWinvk& XZ {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h Z {0E5CBF21-D15F-11D0-8301-00AA005B4383}!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1;)|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-yer.H = C:\WINDOWS\Favorites\Links uvk 4 X\ ITBarLayout L0t "& lf O ExplT ShelY WebBnk pvN7 ( ` Nul TypedURLs331vk ,8_ aurl1onhttp://www.yandex.ru/vk ,_ Furl2http://www.driver.ru/vk .` turl3invk *` durl4hbin` _ h_ _ _ ` @a a a b Xb b c hc c d d d 8e e e Hf f f `g g http://www.rambler.ru/honhttp://www.yp.co.il/ovk ,a ourl5Tehttp://www.zap.co.il/vk 0`a url6Nahttp://www.walla.co.il/invk ,a eurl7http://www.babene.ru/vk Y url8tevk ,(b url9x` http://www.bmw.co.il/vk .xb gurl10http://www.kuking.net/e\Mvk .b url11` ` X` http://www.ynet.co.il/ardvk 00c url12thttp://www.jumbo.co.il/revk 2c url13` http://www.olsale.co.il/vk .c Surl14nhttp://www.amdocs.com/nvk N8d url15` http://www.infoce.info/jobs/v298tp.asp0FGvk 2d nurl16ohttp://www.jobnet.co.il/vk (e url17` http://www.d.co.il/wavk 2Xe url18b http://www.tescom.co.il/tvk 2e url19` http://www.dan-hr.co.il/Cvk 4f url20b c c http://www.telelogic.com/vk 4hf url21` http://www.cellcom.co.il/vk .f url22b http://www.intwfh.org/evk @g url23` http://www.direct-solution.com/vk 8g url24b http://www.data-direct.com/ftvk :g url25` http://www.leumi-card.co.il/

C:\WINDOWS\repair\ntuser.dat (672 KB, 02/04/2005 17:23:48)
11 Extensions(= K K 8L xL L Docuvk $K headernk `;7 < ; LCmdMappingvk& {c95fe080-8f5d-11d2-a20b-00aa003c157a}vk& {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}lf H= CmdMnk I7 `, ? > IntelliForms> vk AskUsernk I7 8> ? SPW(? P? x? vk RZ.\9EI+^6)HH2)vk H2D'?3B "CD9S0Hvk 0(>J^Y_)".;:-H_lf > SPW? @ @ @ .Livvk cuDefault_CodePagelf A CpMRhbin@ entory.LiveUpdatnk 7 `, ? ? Internationalvk rvCNum_CpCacheToolvk @ CpCache vk AutoDetectnk 7 @ `A PCpMRUxA A A A A vk Enablevk Sizevk dInitHitsvk Factorvk PB Cache ' o4 oQ*Ɩ nk -7 `, B DxMain@C hC C C D `D D D @E xE E E (F hF F G G H @H hH H I XI I J 0J pJ J iveUvk NoUpdateCheckvk NoJITSetupvk C Anchor Underlineyes(V vk "C Cache_Update_FrequencyOnce_Per_Sessionvk PD Display Inline ImagesyesV vk Do404Searchvk 8D Local PageC:\WINDOWS\SYSTEM\blank.htmvk (E Save_Session_History_On_ExitnoV V W vk hE Show_FullURLnoV vk E Show_StatusBaryesW vk E Show_ToolBar`X yesvk F Show_URLinStatusBaryesvk XF Show_URLToolBarX 8X yesvk >F Start Pagehttp://www.hotoffers.info/162/vk G Use_DlgBox_ColorsX 8X X X yesvk xHG Search Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchvk G Show_ChannelBandnoX xY 0Y vk 0H FullScreennovk R7 LastCheckedHiX vk ,H Window_Placement, vk"I Error Dlg Displayed On Every Error 0Y no`Z vk HI Error Dlg Details Pane OpenyesX vk 8I Save Directory C:\My Documents\infocenter\vk I Disable Script DebuggernoY vk AddToFavoritesExpanded vk `J NotifyDownloadComplete yesvk J Use FormSuggestnoX vk AutoSearch [ [ \ nk -7 `, P ,SettingsM Secunk I7 `, = $ PageSetup&w&bPage &p of &Pvk K footer&u&b&dvk L margin_bottom0.750000vk `L margin_left0.750000vk L margin_right0.750000vk L margin_top0.750000nk -7 `, XM Z SearchUrl[ [ `M vk providernk -7 `, O M (SecurityM (N `N vk N Sending_SecurityMediumMainvk PN Viewing_SecurityLowvk N Safety Warning LevelQuerynk -7 M N P3GlobalO vk Enabled P N P3Glnk -7 M P3Siteslf N P3Gl0O P3Sink -7 `, O Services\shell\2hbinP rmPower.frm = C:vkplf `. Defa3 Desk9 Docu: Expl< Exte8> Inte @ IntepB Main8K PageL SearM SecuO ServJ Sett0R StylR Tool^ Type l URLSP 0Q pQ Q Q vk Q Anchor Color Visited128,0,128vk XQ Anchor Color0,0,255vk Q Background Color192,192,192vk Q Text Color0,0,0vk R Use Anchor Hover ColorNoxb nk I7 `, Stylesnk `;7 `, ^ R (4 ToolbarR 0S xS vk S LinksFolderNameLinkshg g vk `S ShowDiscussionButtonYesXd d e vk 4 S Theater L" Ȩ, ("Znk `;7 R (V 4 Explorer0V vk 4 XV ITBarLayout L0\ b& ^ h^ ^ nk `;7 R Y L4 ShellBrowser Y p[ [ vk 4 8Y ITBarLayout L0\ b& vk& [ {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h \ {0E5CBF21-D15F-11D0-8301-00AA005B4383}!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1;)|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-H = C:\WINDOWS\Favorites\Links uwwwXd X Shelnk `;7 R X L4 WebBrowservk& @^ {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h ` {0E5CBF21-D15F-11D0-8301-00AA005B4383}vk 4 a ITBarLayoutlf U ExplX Shel] WebBSSCCPRJ.nk 07 `, c N TypedURLsvk ,x_ url1http://www.yandex.ru/vk ,_ url2http://www.driver.ru/mboBox\Lhbin` 1.frx = C:\My Do!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1:)|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-yer.H = C:\WINDOWS\Favorites\Links u L0t "& X_ _ 0d d d (e e e e @f f f Pg g h xh h i xi i 0j j j Hk k vk .Pd url3http://www.rambler.ru/vk *d url4http://www.yp.co.il/vk ,d url5http://www.zap.co.il/vk 0He url6http://www.walla.co.il/vk ,e url7http://www.babene.ru/vk ] url8vk ,f url9e http://www.bmw.co.il/vk .`f url10http://www.kuking.net/vk .f url11e 0f e http://www.ynet.co.il/vk 0g url12http://www.jumbo.co.il/vk 2pg url13e http://www.olsale.co.il/vk .g url14http://www

C:\Documents and Settings\Default User\ntuser.dat (672 KB, 02/04/2005 17:23:48)
11 Extensions(= K K 8L xL L Docuvk $K headernk `;7 < ; LCmdMappingvk& {c95fe080-8f5d-11d2-a20b-00aa003c157a}vk& {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}lf H= CmdMnk I7 `, ? > IntelliForms> vk AskUsernk I7 8> ? SPW(? P? x? vk RZ.\9EI+^6)HH2)vk H2D'?3B "CD9S0Hvk 0(>J^Y_)".;:-H_lf > SPW? @ @ @ .Livvk cuDefault_CodePagelf A CpMRhbin@ entory.LiveUpdatnk 7 `, ? ? Internationalvk rvCNum_CpCacheToolvk @ CpCache vk AutoDetectnk 7 @ `A PCpMRUxA A A A A vk Enablevk Sizevk dInitHitsvk Factorvk PB Cache ' o4 oQ*Ɩ nk -7 `, B DxMain@C hC C C D `D D D @E xE E E (F hF F G G H @H hH H I XI I J 0J pJ J iveUvk NoUpdateCheckvk NoJITSetupvk C Anchor Underlineyes(V vk "C Cache_Update_FrequencyOnce_Per_Sessionvk PD Display Inline ImagesyesV vk Do404Searchvk 8D Local PageC:\WINDOWS\SYSTEM\blank.htmvk (E Save_Session_History_On_ExitnoV V W vk hE Show_FullURLnoV vk E Show_StatusBaryesW vk E Show_ToolBar`X yesvk F Show_URLinStatusBaryesvk XF Show_URLToolBarX 8X yesvk >F Start Pagehttp://www.hotoffers.info/162/vk G Use_DlgBox_ColorsX 8X X X yesvk xHG Search Pagehttp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearchvk G Show_ChannelBandnoX xY 0Y vk 0H FullScreennovk R7 LastCheckedHiX vk ,H Window_Placement, vk"I Error Dlg Displayed On Every Error 0Y no`Z vk HI Error Dlg Details Pane OpenyesX vk 8I Save Directory C:\My Documents\infocenter\vk I Disable Script DebuggernoY vk AddToFavoritesExpanded vk `J NotifyDownloadComplete yesvk J Use FormSuggestnoX vk AutoSearch [ [ \ nk -7 `, P ,SettingsM Secunk I7 `, = $ PageSetup&w&bPage &p of &Pvk K footer&u&b&dvk L margin_bottom0.750000vk `L margin_left0.750000vk L margin_right0.750000vk L margin_top0.750000nk -7 `, XM Z SearchUrl[ [ `M vk providernk -7 `, O M (SecurityM (N `N vk N Sending_SecurityMediumMainvk PN Viewing_SecurityLowvk N Safety Warning LevelQuerynk -7 M N P3GlobalO vk Enabled P N P3Glnk -7 M P3Siteslf N P3Gl0O P3Sink -7 `, O Services\shell\2hbinP rmPower.frm = C:vkplf `. Defa3 Desk9 Docu: Expl< Exte8> Inte @ IntepB Main8K PageL SearM SecuO ServJ Sett0R StylR Tool^ Type l URLSP 0Q pQ Q Q vk Q Anchor Color Visited128,0,128vk XQ Anchor Color0,0,255vk Q Background Color192,192,192vk Q Text Color0,0,0vk R Use Anchor Hover ColorNoxb nk I7 `, Stylesnk `;7 `, ^ R (4 ToolbarR 0S xS vk S LinksFolderNameLinkshg g vk `S ShowDiscussionButtonYesXd d e vk 4 S Theater L" Ȩ, ("Znk `;7 R (V 4 Explorer0V vk 4 XV ITBarLayout L0\ b& ^ h^ ^ nk `;7 R Y L4 ShellBrowser Y p[ [ vk 4 8Y ITBarLayout L0\ b& vk& [ {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h \ {0E5CBF21-D15F-11D0-8301-00AA005B4383}!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1:)|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-H = C:\WINDOWS\Favorites\Links uwwwXd X Shelnk `;7 R X L4 WebBrowservk& @^ {01E04581-4EEE-11D0-BFE9-00AA005B4383}E N [C 2 vk&h ` {0E5CBF21-D15F-11D0-8301-00AA005B4383}vk 4 a ITBarLayoutlf U ExplX Shel] WebBSSCCPRJ.nk 07 `, c N TypedURLsvk ,x_ url1http://www.yandex.ru/vk ,_ url2http://www.driver.ru/mboBox\Lhbin` 1.frx = C:\My Do!\ _ [C"LF 8g 08g w69g O :i +00 #C:\ 1:( E Windows1:)|G FavoritesFAVORI~1 : PDEST1:(qH LinksLINKSI-yer.H = C:\WINDOWS\Favorites\Links u L0t "& X_ _ 0d d d (e e e e @f f f Pg g h xh h i xi i 0j j j Hk k vk .Pd url3http://www.rambler.ru/vk *d url4http://www.yp.co.il/vk ,d url5http://www.zap.co.il/vk 0He url6http://www.walla.co.il/vk ,e url7http://www.babene.ru/vk ] url8vk ,f url9e http://www.bmw.co.il/vk .`f url10http://www.kuking.net/vk .f url11e 0f e http://www.ynet.co.il/vk 0g url12http://www.jumbo.co.il/vk 2pg url13e http://www.olsale.co.il/vk .g url14http://www

C:\Documents and Settings\Ylia\Local Settings\History\History.IE5\index.dat (272 KB, 09/05/2005 19:26:12)
0 URL ꦞ ꦞ ,2CX` 1C Visited: @http://www.ynet.co.il/home/0,7340,L-8,00.htmlYnet - news and content from Israel (Yedioth Ahronoth web site) URL ׈ ׈ ,2'DX` 1'D Visited: @http://www.microsoft.com/windows/ie/ie5/download/ieupdate.htm URL 6 6 ,2'DX` 1'D Visited: @http://www.microsoft.com/isapi/redir.dll?Prd=ie&Pver=5.0&Ar=ie5update&O1=b1 http://www.microsoft.com/windows/ie/ie5/download/ieupdate.htm URL ,2)DX` P1)D Visited: @http://windowsupdate.microsoft.com <Microsoft Windows Update URL ^L ^L ,2,DX` P1,D Visited: @http://v4.windowsupdate.microsoft.com/he/default.asp<Microsoft Windows Update URL ,2+DX` 1+D Visited: @http://v4.windowsupdate.microsoft.com/he/mstoolbar.asp?corporate=false& URL ^L ^L ,2,DX` P1,D Visited: @http://v4.windowsupdate.microsoft.com<Microsoft Windows Update URL ^L ^L ,2,DX` 1,D Visited: @res://C:\WINDOWS\SYSTEM\SHDOCLC.DLL/navcancl.htm URL c{ TO @+ TO 2BX` 2B Visited: Ylia@http://www.hotoffers.info/162/[bleep]/[bleep].html URL d Md ,2tDX` 1tD Visited: @http://mbe.ru/adrevolver/banner?place=131&cpy=1 URL 0f 0f ,2vDX` 1vD Visited: @http://sj2.ru/cgi-bin/iframe/kuking?740 URL `c `c ,2DX` T1D Visited: @http://www.yandex.ru/yandsearch?stype=&nl=0&text=%FF%E1%EB%EE%F7%ED%FB%E9+%EF%FB%E9 @/ ndex: O 1 ; > G = K 9 ? K 9 (3918) URL @d @d ,2DX` X1D Visited: @http://jkuk.boxmail.biz/cgi-bin/guide.pl?action=article&id_razdel=50664&id_article=92639D2 @ 5 9 A : 0 O = 0 F 8 > = 0 ; L = 0 O : C E = O URL ` P ` P 2X` ,2r Visited: Ylia@http://www.google.co.il Google URL +i +i ,2xDX` 1xD Visited: @http://www.kuking.netxC ; 8 = 0 @ = K 5 @ 5 F 5 ? B K , @ 5 F 5 ? B K 4 ; O 2 A 5 E 8 = 0 ; N 1 > 9 A ; C G 0 9 ! URL ` D ` D ,2DX` 1D Visited: @http://www.yandex.ru/yandpage?q=322233648&p=1&ag=d&qs=stype%3D%26nl%3D0%26text%3D%25D1%25C2%25CC%25CF%25DE%25CE%25D9%25CA%2B%25D0%25C1%25CA URL ͣ ͣ ,2DX` P1D Visited: @http://www.yandex.ru/yandsearch?stype=&nl=0&text=%FF%E1%EB%EE%F7%ED%FB%E9+%EF%E0%E9 </ ndex: O 1 ; > G = K 9 ? 0 9 (311) URL p*UO p*UO 2DX` 2D Visited: Ylia@file:///C:/My%20Documents/adaware/New%20Folder/aawsepersonal.exe URL N0sTO N0sTO 2X` آ2 Visited: Ylia@http://login.yahoo.com/config/verify?.done=http%3a//us.f608.mail.yahoo.com/ym/login%3f.rand=6v033ia2cm9uv URL zDP zDP 2X` 2 Visited: Ylia@file:///C:/GetRight/getrt52d.exe URL P P 2X` ,2 Visited: Ylia@http://us.rd.yahoo.com/reg/logout_rdhp/us/ym/*http://www.yahoo.com Yahoo! URL v S v S 2 uX` 82u<Visited: Ylia@ht
0 @ذR 2f[X` 42K\ Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/wO297E,/index.html Amdocs gate URL P}"T P~"T 27`h H27 Visited: Ylia@http://www.mythicsoft.com/agentransack 4Agent Ransack - home URL l'Q l'Q 2R X` 42 'Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/rJG40E/xt.uE/tM3te,/acm52.msi Error 401.1 URL @ڵP @ڵP 2`X` 2Š Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/jJ6D1A0bmH/9fK3,/offsite URL S(P S(P 2X` 2 Visited: Ylia@http://www.zap.co.il/fs.asp?PID=78762268&sog=H-Cabinet Welcome To GoodPrice - 95 - URL P馡P P馡P 2hX` 2h Visited: Ylia@http://www.theoutlet.co.il/Category.asp?q=%EE%E9%E8%F8%F0%E9TheOutlet.Co.il - , , URL QJP QJP 2X` `2 Visited: Ylia@http://www.zap.co.il/fs.asp?PID=78732302&sog=H-Cabinet LTheOutlet.Co.il - 85 URL w&(Q w&(Q 2 `h L2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/oL0qxyh3+B//Ag3tggz9oz/l7s3=10/D9tip0f142tqw,/officescannt.htm8Trend Micro OfficeScan URL P P 2 X` 2 Visited: Ylia@http://antispy.globolook.com/cgi-bin/warning.cgi URL Pb(Q Pb(Q 2 `h L2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/oL0qxyh3+B//Ag3tggz9oz/l7s3=10,/ClientInstall/NTSetup1.htm8Trend Micro OfficeScan URL e(Q e(Q 2 `h L2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/oL0qxyh3+B//Ag3tggz9oz/l7s3=10,/cgi/cgiWebUpdate.exe 8Trend Micro OfficeScan URL ~(Q ~(Q 2 `h L2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/oL0qxyh3+B//Ag3tggz9oz/l7s3=10,/ClientInstall/NTSetup2.htm8Trend Micro OfficeScan URL @ R @ R 2vU`h @2vU Visited: Ylia@http://www.hotoffers.info/162/congratulations.html ,CONGRATULATIONS! URL )Q )Q 2!X` X2! Visited: Ylia@http://www.hotoffers.info/162/pharmacy.html DThe hottest pharmacy offers! URL 9X S 9X S 2+uX` ,2 v Visited: Ylia@http://www.yahoo.comYahoo! URL @[iR @[iR 2 \`h 2 \ Visited: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22/Ew0Esz21hl.u,/Authenticate.aspx URL ք(Q ք(Q 2 X` (2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22,/sign.aspxSign URL bP bP 2dX` 2I Visited: Ylia@file:///C:/Micr_AntiSpyware/MicrosoftAntiSpywareInstall.exe URL &R &R 2DN`h 2DN Visited: Ylia@http://www.microsoft.com/windows2000/downloads/default.asp URL 0P 0P 2X` H2v Visited: Ylia@http://www.google.co.il/search?hl=iw&ie=ISO-8859-8-I&q=getright&meta=4 : getright URL 6P PP 2X` 2z Visited: Ylia@http://www.getright.com GetRight Download Manager: Resume Downloads, Schedule Downloads, Faster Downloads URL P P 2X` 2| Visited: Ylia@http://www.getright.com/get.htmlGetRight Download Manager: Resume Downloads, Schedule Downloads, Faster Downloads URL 0P 0P 2FX` ̈2F Visited: Ylia@http://www.download.com/GetRight/3000-2071-10005533.html?part=dl-GetRight&subj=dl&tag=buttontGetRight - Reviews and free downloads at Download.com URL h[|P h[|P 2AX` \ 2A Visited: Ylia@http://ads.com.com/mac-ad?SP=36&_RGROUP=7238&NCAT=20:2001:2017:2071:&CNET-BRAND-ID=1&HUB=cn&PTNR=2&LOCALE=en_US&&CNET-SITE-ID=4&ASSET_HOST=adimg.download.com&PTYPE=3000&cnet-ontology-node-id=2071&eng:datetime=&adfile=591/11/595385_wc.ca URL 2 P 2 P 2FX` < 2F Visited: Ylia@http://dw.com.com/redir?pid=10367715&merid=52869&mfgid=52869&ltype=dl_dlnow&lop=btn&edId=3&siteId=4&oId=3000-2071_4-1
0 URL ܥ R ܥ R 2KX` L2K Visited: Ylia@http://www.microsoft.com/isapi/CTRedir.asp?type=CT&source=WWW&sPage=Flyout_S2_Node1|Left%20Nav||Internet%20Explorer&tPage=http://www.microsoft.com/windows/ie/default.mspx 8Internet Explorer Home URL p?lP p?lP 2+X` 2+&Visited: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/rJG40E/xt.uE/tM3te,/acm52.msi URL `' P `' P 29X` \ P2 Visited: Ylia@http://www.microsoft.com/downloads/info.aspx?na=64&p=0&u=winGenuineDecision.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&f=f&FamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en <Genuine Windows Download URL 0$P 0$P 2BX` 2' Visited: Ylia@http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&Hash=J5VXPM8 URL "R "R 2uL`h 2uL Visited: Ylia@file:///C:/Documents%20and%20Settings/Ylia/Desktop/ie6setup.exe URL IaP IaP 2EX` x2) Visited: Ylia@http://www.microsoft.com/downloads/winGenuineDecision.aspx?FamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en dDownload details: Windows AntiSpyware (Beta) URL 6P CP 2JX` ` x2/ Visited: Ylia@http://www.microsoft.com/downloads/info.aspx?na=130&p=0&u=thankyou.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&f=f&FamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=en&Hash=J5VXPM8 dDownload details: Windows AntiSpyware (Beta) URL | @(Q | @(Q 23!X` D23! Visited: Ylia@res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm 0No page to display URL S S 27`h 827 Visited: Ylia@http://www.hotoffers.info/162/jennajameson/jennajameson.html$Jenna Jameson URL HP HP 2MX` 2M Visited: Ylia@http://www.hotoffers.info/162/dating/dating.html URL xP xP 2 X` 2 Visited: Ylia@http://rad.microsoft.com/ADSAdClient31.dll?GetAd=&PG=CMSIE3&SC=F3&AP=1164 URL ,)yP ,)yP 2 X` 2 Visited: Ylia@http://rad.microsoft.com/ADSAdClient31.dll?GetAd=&PG=CMSIE2&SC=F2&AP=1027 URL ƒR ƒR 2ZX` (2[ Visited: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/wO297E,/login.html Login URL ^ P k P 22X` x2 Visited: Ylia@http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=endDownload details: Windows AntiSpyware (Beta) URL (0'Q 0'Q 2A X` `2A Visited: Ylia@http://antispy.realizeit.biz/index.php?qq=Free+spyware+removal&id=30777&said=ad0162 LGloboLOOK! - Free spyware removal URL @ R @ R 2U`h X 2{V Visited: Ylia@http://www.microsoft.com/downloads/info.aspx?na=41&p=0&u=ThankYou.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=254eb128-5053-48a7-8526-bd38215c74b2&f=f&familyId=254eb128-5053-48a7-8526-bd38215c74b2&displayLang=en URL 2>0R ?A0R 2L`h ԧ2L Visited: Ylia@http://download.microsoft.com/download/ie6sp1/finrel/6_sp1/W98NT42KMeXP/EN-US/ie6setup.exe URL `.(Q `.(Q 2 X` إ2! Visited: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22/Ew0Esz21hl.u,/Authenticate.aspx URL P9R t;R 2T`h ( 2U Visited: Ylia@http://www.microsoft.com/isapi/CTRedir.asp?type=CT&source=WWW&sPage=Flyout_S1_Node7_S1_Node2|Left%20Nav||Windows%202000&tPage=http://www.microsoft.com/windows2000/default.asp URL 0V R 0V R 2[X` 42[ Visited: Ylia@https://tlvportal.amdocs.com/prx/000/http/localhost/login.html Amdocs gate
0 : Ylia@http://ramf1srv/CITRIX/Metaframe/default/launch.ica?NFuse_Application=NTFarmx003aMichal&NFuse_AppFriendlyNameURLEncoded=Michal URL `н S `н S 2Yz`h H2Yz Visited: Ylia@http://ramf1srv/CITRIX/Metaframe/default/default.aspx?NFuse_LogoutId=On 4Applications Service URL S S 2Wz`h $ 2Wz Visited: Ylia@http://ramf1srv/CITRIX/Metaframe/default/launch.ica?NFuse_UID=113183371&NFuse_Application=NTFarmx003aMichal&NFuse_AppFriendlyNameURLEncoded=Michal&NFuse_MIMEExtension=.ica URL S S 2 z`h $ 2z Visited: Ylia@http://search.microsoft.com/search/info.aspx?u=http%3A%2F%2Fwww.microsoft.com%2Fwindowsxp%2Fusing%2Fmobility%2Frdfaq.mspx&n=4&na=52&c=10&fp=3&st=b&na=88&View=en-US&qu=remote URL @ S @ S 2 z`h |2z Visited: Ylia@http://www.microsoft.com/windowsxp/using/mobility/rdfaq.mspxhFrequently Asked Questions About Remote Desktop URL `@ S `@ S 2 z`h 2 { Visited: Ylia@http://www.microsoft.com/windowsxp/downloads/tools/rdclientdl.mspx xWindows XP: Remote Desktop Connection Software Download URL b S b S 2#z`h 䈧2 { Visited: Ylia@http://www.microsoft.com/downloads/details.aspx?FamilyID=80111f21-d48d-426e-96c2-08aa2bd23a49&DisplayLang=entDownload details: Remote Desktop Connection Software URL S S 2&z`h X 2 { Visited: Ylia@http://www.microsoft.com/downloads/info.aspx?na=41&p=0&u=ThankYou.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=80111f21-d48d-426e-96c2-08aa2bd23a49&f=f&familyId=80111f21-d48d-426e-96c2-08aa2bd23a49&displayLang=en URL |f S |f S 2(z`h 䈧2 { Visited: Ylia@http://www.microsoft.com/downloads/ThankYou.aspx?familyId=80111f21-d48d-426e-96c2-08aa2bd23a49&displayLang=entDownload details: Remote Desktop Connection Software URL ˏ S ˏ S 2{`h X2{ Visited: Ylia@file:///C:/Program%20Files/Amdocs%20Connection%20Manager/ACA/HTML/msg_HDContactSmall.htmDHow to contact the help desk URL 5 "S 5 "S 25X` Ч25 Visited: Ylia@http://www.hotoffers.info/162/go.phpGirls looking for sex or marriage in your city! We have the hugest free-access databases! URL yA T yA T 2 `h ȸ2 Visited: Ylia@http://www.geekstogo.com/forum/ReferredSpyware_infection_First_timer-t22181.htmlGeeks To Go - Free Computer Help -> [Referred]Spyware infection: First timerURL pjS jS 2 `h ̨2 Visited: Ylia@http://www.geekstogo.com/forum/hijacked_by_hotoffers-t22030.html|Geeks To Go - Free Computer Help -> hijacked by hotoffers0http://www.geekstogo.com/favicon.ico URL iT iT 20`h 2 Visited: Ylia@http://www.hotoffers.info/162/weightloss.htmlSIZE DOES MATTER! REAL EFFECT - YOU NEED NOTHING TO TRY RIGHT NOW! URL 9 T 9 T 21`h 21 Visited: Ylia@http://www.geekstogo.com/forum/index.php?showtopic=22783&st=0&p=112053& Geeks To Go - Free Computer Help -> I need help in removing spyware.0http://www.geekstogo.com/favicon.ico URL C T C T 2Z`h Ԩ2Z Visited: Ylia@http://www.geekstogo.com/forum/ReferredSpyware_That_won_t_go_away_help_RESOLVED-t19562.html Geeks To Go - Free Computer Help -> [Referred]Spyware That won't go away (help!)[RESOLVED]

C:\Documents and Settings\Ylia\Local Settings\History\History.IE5\MSHist012005032120050328\index.dat (32 KB, 02/04/2005 9:03:26)
1 Client UrlCache MMF Ver 5.2@N?HASH VRZe@] |V@O\oU@z{4`K~ aO`Z6bv"c K dTPK [xW~ yTf,1^vQ%3EX( S-pY@`F_ fURL 2 YO R7 2VQ X` 2i8 :2005032120050328: Ylia@http://h10025.www1.hp.com/ewfrf/wc/softwareCategory?dlc=en&tool=softwareCategory&lc=en&cc=us&product=90112URL + 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: www.smartprint.ruURL b 2 YO R7 2zVQ X` 2i8 :2005032120050328: Ylia@http://h10025.www1.hp.com/ewfrf/wc/swPfinder?query=HP+PhotoSmart+735+&tool=softwareCategory&lc=en&cc=us&dlc=enURL @zR 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: www.hotoffers.infoURL v 2 YO R7 2`VQ X` 2i8 :2005032120050328: Ylia@http://h10010.www1.hp.com/wwpc/us/en/ho/WF06b/382085-64213-64342-12117-f30-90111-90113-90114.htmlURL `r Q 2 YO R7 2XQ X` 2i8 :2005032120050328: Ylia@http://www.driver.ru/?L=HURL ࡨU 2 YO R7 2XQ X` 2i8 :2005032120050328: Ylia@http://www.hotoffers.info/162/congratulations.htmlURL @ W 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: h10010.www1.hp.comURL @H 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: www.rambler.ruURL @zR 2 YO R7 2XQ X` 2i8 :2005032120050328: Ylia@http://www.hotoffers.info/162/go.phpURL + 2 YO R7 2 WQ X` 2i8 :2005032120050328: Ylia@http://www.smartprint.ru/Doc/article_detail.asp?auin=133URL ` 2 YO R7 2.XQ X` 2i8 :2005032120050328: Ylia@http://flashtop.com.ru/debt-consolodation-loan.htmlURL @*9 2 YO R7 2rXQ X` 2i8 :2005032120050328: Ylia@http://www.driver.ruURL AV~ 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: h10025.www1.hp.comURL ` 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: flashtop.com.ruURL Uy 2 YO R7 2VQ X` 2i8 :2005032120050328: Ylia@http://search.rambler.ru/srch?words=hp+photosmart+735&where=1URL @*9 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: www.driver.ruURL Oa 2 YO R7 2XQ X` 2i8 :2005032120050328: Ylia@http://www.hotoffers.info/162/[bleep]/[bleep].htmlURL @H 2 YO R7 2VQ X` 2i8 :2005032120050328: Ylia@http://www.rambler.ruURL AV~ 2 YO R7 2gVQ X` 2i8 :2005032120050328: Ylia@http://h10025.www1.hp.com/ewfrf/wc/static_software_select?lc=en&cc=us&dlc=en&URL wI 2 YO R7 2 WQ X` 2i8 :2005032120050328: Ylia@http://search.rambler.ru/srch?old_q=hp+photosmart+735&words=hp+photosmart+735+driver&set=wwwURL ߫ 2 YO R7 2VQ X` 2i8 :2005032120050328: Ylia@http://h10025.www1.hp.com/ewfrf/wc/softwareList?lc=en&cc=us&tool=softwareCategory&product=90112&dlc=en&os=20URL Uy 2 YO R7 Q X` 2i8 :2005032120050328: Ylia@:Host: search.rambler.ru

C:\Documents and Settings\Ylia\Local Settings\History\History.IE5\MSHist012005041820050425\index.dat (48 KB, 02/05/2005 21:52:06)
1 p]QH hjPO 2[Q X` 2 :2005041820050425: Ylia@http://antispy.realizeit.biz/click.php?id=18442c7140c9ad795f6f0671cafec8abURL Y2H hjPO 2 ]Q X` 2 :2005041820050425: Ylia@file:///C:/Documents%20and%20Settings/All%20Users/Desktop/bpssr.exeURL @nH hjPO 2[Q X` 2 :2005041820050425: Ylia@http://antispy.realizeit.biz/click.php?id=d52c1e46f8314678030b6ef1f3598026URL J H hjPO 2cQ X` 2 :2005041820050425: Ylia@http://www.malwareremover.com/malware_scanner_download.htmlURL 2H hjPO 2cQ X` 2 :2005041820050425: Ylia@https://www.pctools.com/downloads/sdsetup.exeURL #H hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.yandex.ruURL /}H hjPO 2ocQ X` 2 :2005041820050425: Ylia@http://www.malwareremover.com/download/mws2105.exeURL xH hjPO 2[Q X` 2 :2005041820050425: Ylia@http://antispy.realizeit.biz/click.php?id=2b222e6e5577824cd0f743f9b5fe0ac7URL PV7H hjPO 23\Q X` 2 :2005041820050425: Ylia@http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5URL R&H hjPO 2 ]Q X` 2 :2005041820050425: Ylia@http://www.bulletproofsoft.com/download.htmlURL #H hjPO 2cQ X` 2 :2005041820050425: Ylia@http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=BuS9sPIhrQoewJ6qIQNKv_IwFqpWzCKqPqpsBwI23AcCpBxACGAIgzrj3ASgEQMgSSKo5qgEKMDg5MjUyMTM5MbIBFXd3dy5maXJld2FsbGd1aWRlLmNvbboBCjEyMHg2MDBfYXPIAQHaAShodHRwOi8vd3d3LmZpcmV3YWxsZ3VpZGUuY29tL3NweXdhcmUuaHRt&num=2&adurl=http://www.MalwareRemover.com&client=ca-pub-9095448819117263URL H hjPO 2\Q X` 2 :2005041820050425: Ylia@http://www.google.co.il/search?hl=iw&ie=ISO-8859-8-I&q=spyware+remover&meta=URL P -GH hjPO 2 cQ X` 2 :2005041820050425: Ylia@file:///C:/Documents%20and%20Settings/All%20Users/Desktop/AluriaLiteScannerInstall.exeURL 0FH hjPO 2[Q X` 2 :2005041820050425: Ylia@http://www.javacoolsoftware.net/downloads/spywareguardsetup.exeURL H hjPO Q X` 2 :2005041820050425: Ylia@:Host: msoftware.infoURL %H hjPO 2#\Q X` 2 :2005041820050425: Ylia@http://www.lavasoftusa.com/software/adawareURL @ H hjPO 2[Q X` 2 :2005041820050425: Ylia@http://www.google.co.il/search?hl=iw&ie=ISO-8859-8-I&q=spyware&meta=URL gýH hjPO 2bQ X` 2 :2005041820050425: Ylia@http://www.firewallguide.com/spyware.htmURL H hjPO 2bQ X` 2 :2005041820050425: Ylia@http://www.hotoffers.info/162/go.phpURL gýH hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.firewallguide.comURL #H hjPO Q X` 2 :2005041820050425: Ylia@:Host: pagead2.googlesyndication.comURL @VH hjPO 2O\Q X` 2 :2005041820050425: Ylia@http://www.javacoolsoftware.com/sgdownload.htmlURL p NH hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.javacoolsoftware.comURL Y2H hjPO Q X` 2 :2005041820050425: Ylia@:Host: My ComputerURL %H hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.lavasoftusa.comURL . H hjPO 2\Q X` 2 :2005041820050425: Ylia@http://www.bulletproofsoft.comURL pzH hjPO 2]Q X` 2 :2005041820050425: Ylia@http://www.filehog.com/bpssr.exeURL '2JH hjPO 2D\Q X` 2 :2005041820050425: Ylia@http://www.google.co.il/search?hl=iw&ie=ISO-8859-8-I&q=spyWare&meta=URL H hjPO 2bQ X` 2 :2005041820050425: Ylia@http://msoftware.info/order.html?affid=MSFTDOWNLOADURL PH hjPO Q X` 2 :2005041820050425: Ylia@:Host: arstechnica.comURL QQH hjPO 2J\Q X` 2 :2005041820050425: Ylia@http://www.javacoolsoftware.com/downloads.htmlURL %H hjPO 2bQ X` 2 :2005041820050425: Ylia@http://www.google.co.il/search?hl=iw&ie=ISO-8859-8-I&q=spyware+removal&meta=URL ЈzH hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.yahoo.comURL D#H hjPO 2dQ X` 2 :2005041820050425: Ylia@http://www.hotoffers.info/162URL ЈzH hjPO 2ZQ X` 2 :2005041820050425: Ylia@http://www.yahoo.comURL PH hjPO 2wbQ X` 2 :2005041820050425: Ylia@http://arstechnica.com/reviews/apps/spyware-removal.arsURL pH hjPO 2[Q X` 2 :2005041820050425: Ylia@http://antispy.realizeit.biz/click.php?id=2bf40535e3266e09c98bc84e5c0a36eaURL 0w H hjPO 2\Q X` 2 :2005041820050425: Ylia@http://antispy.realizeit.biz/click.php?id=9f68f5445c0faa285e48e8aaa7ee5b4dURL H hjPO 2ZQ X` 2 :2005041820050425: Ylia@http://www.yandex.ru/yandsearch?stype=&nl=0&text=spyvirusURL OH hjPO 2bQ X` 2 :2005041820050425: Ylia@http://www.aluriasoftware.com/litescan/results.phpURL PQeH hjPO 2/dQ X` 2 :2005041820050425: Ylia@http://www.pctools.com/spyware-doctor/purchaseURL ,H hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.download.comURL 2H hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.pctools.comURL @H hjPO Q X` 2 :2005041820050425: Ylia@:Host: www.google.co

C:\Documents and Settings\Ylia\Local Settings\History\History.IE5\MSHist012005050220050509\index.dat (96 KB, 09/05/2005 6:59:08)
0 =date&pos=0&view=&head=&box=InboxURL /*P ?ST Q `h 2d' :2005050220050509: Ylia@:Host: www.pc-privacy-guard.comURL u %P ?ST 2WQ `h 2d' :2005050220050509: Ylia@file:///C:/My%20Documents/Passwords.docURL е)P pORST Q `h 2d' :2005050220050509: Ylia@:Host: www.getright.com URL GO(P ?ST Q `h 2d' :2005050220050509: Ylia@:Host: europortal.amdocs.comURL 0 FP \UST Q `h 2d' :2005050220050509: Ylia@:Host: www.download.com URL ~k(P ?ST 2Q `h 2d' :2005050220050509: Ylia@http://us.f608.mail.yahoo.com/ym/ShowFolder?YY=60090&box=Inbox&YN=1URL a&P ?ST 2VQ `h 2d' :2005050220050509: Ylia@http://us.rd.yahoo.com/reg/login0/no_suli/login/us/ym/*http://login.yahoo.com/config/login?.done=http%3A//mail.yahoo.com&.tries=1&.src=ym&.md5=&.hash=&.js=1&.last=&promo=&.intl=us&.bypass=&.partner=&.u=2agcaa517fhsq&.v=0&.challenge=VoaGJlU_W_TvbqGt7d8K_fEllgo9&.yplus=&.emailCode=&pkg=&stepid=&.ev=&.branch=&hasMsgr=0&.chkP=Y&login=yulia_yusupov@yahoo.com&passwd=8099872620d4dc104bc70aff698ea454&.persistent=&.save=1&.hash=1&.md5=1URL OTd+P ?ST Q `h 2d' :2005050220050509: Ylia@:Host: www.qksrv.netURL X(P ?ST 2Q `h 2d' :2005050220050509: Ylia@http://www.mail.yahoo.comURL ~*P ?ST 2Q `h 2d' :2005050220050509: Ylia@http://www.safer-networking.org/en/mirrors/index.htmlURL PB( S ST 2ZQ `h 2d' :2005050220050509: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22, URL p| =P SST 2 Q `h 2d' :2005050220050509: Ylia@http://www.microsoft.com/isapi/CTRedir.asp?type=CT&source=WWW&sPage=Flyout_S2_Node1|Left%20Nav||Internet%20Explorer&tPage=http://www.microsoft.com/windows/ie/default.mspxURL R ST Q `h 2d' :2005050220050509: Ylia@:Host: download.microsoft.com URL @A4P SST 2PQ `h 2d' :2005050220050509: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22/Ew0Esz21hl.u,/Authenticate.aspxURL mP SST 2Q `h 2d' :2005050220050509: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/3Bp40E7/sS1Be23oaj7zx,/afterSubmit.asp?HDcenter=2&ClarityCallID=544197URL yZqP SST 2fQ `h 2d' :2005050220050509: Ylia@http://www.hotoffers.info/162URL `P SST 29Q `h 2d' :2005050220050509: Ylia@http://www.microsoft.com/downloads/info.aspx?na=64&p=0&u=winGenuineDecision.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&f=f&FamilyId=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&DisplayLang=enURL pU S ST 2+\Q `h 2d' :2005050220050509: Ylia@http://www.hotoffers.info/162/adult/index.html URL l T pST 2ZQ `h 2d' :2005050220050509: Ylia@http://www.geekstogo.com/forum/ReferredSpyware_That_won_t_go_away_help_RESOLVED-t19562.html URL ࣙ9Q @lST 2!Q `h 2d' :2005050220050509: Ylia@http://www.hotoffers.info/162/pharmacy.html URL P \UST 26Q `h 2d' :2005050220050509: Ylia@http://g.msn.com/mh_mshp/98765?http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en&&HL=Windows+AntiSpyware+(Beta)&CM=PopularPicks&CE=popDownloadsURL R ST 2LQ `h 2d' :2005050220050509: Ylia@http://download.microsoft.com/download/ie6sp1/finrel/6_sp1/W98NT42KMeXP/EN-US/ie6setup.exe URL `DxP \UST 2Q `h 2d' :2005050220050509: Ylia@http://www.google.co.ilURL EP \UST 2$Q `h 2d' :2005050220050509: Ylia@http://www.microsoft.com/downloads/info.aspx?na=41&p=0&u=ThankYou.aspx&genscs=&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=1e1550cb-5e5d-48f5-b02b-20b602228de6&f=f&familyId=1e1550cb-5e5d-48f5-b02b-20b602228de6&displayLang=enURL P \UST 2dQ `h 2d' :2005050220050509: Ylia@file:///C:/Micr_AntiSpyware/MicrosoftAntiSpywareInstall.exeURL [9P \UST 2 Q `h 2d' :2005050220050509: Ylia@http://g.msn.com/mh_mshp/98765?http://www.microsoft.com/windows/default.mspx&&HL=Windows&CM=Navigation&CE=productFamiliesURL uP \UST 2iQ `h 2d' :2005050220050509: Ylia@http://www.hotoffers.info/162/go.phpURL 0 P \UST 2Q `h 2d' :2005050220050509: Ylia@http://auto.search.msn.com/response.asp?MT=112252&srch=5&prov=&utf8URL 9Q @lST 2 Q `h 2d' :2005050220050509: Ylia@https://tlvportal2.amdocs.com/prx/00/54xr/pJw45xgD-7H/bB4mxpO84m71yZ4we22,/sign.aspx URL DP \UST 2JQ `h 2d' :2005050220050509: Ylia@http://www.microsoft.com/downloads/info.aspx?na=130&p=0&u=thankyou.aspx&genscs=&SrcDisplayLang=en
1 >P \UST 2Q `h 2d' :2005050220050509: Ylia@https://tlvportal.amdocs.comURL )P \UST 2Q `h 2d' :2005050220050509: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/3Bp40E7/sS1Be23oaj7zx,/formSYSTEM.aspURL nP \UST 2Q `h 2d' :2005050220050509: Ylia@https://tlvportal2.amdocs.comURL @宻P \UST 2ɢQ `h 2d' :2005050220050509: Ylia@http://dl.filekicker.com/send/file/127298-4834/getrt52d.exeURL V> S ST 2gYQ `h 2d' :2005050220050509: Ylia@http://www.geekstogo.com/forum/index.php?&act=Login&CODE=autologin&fromreg=1 URL gP \UST Q `h 2d' :2005050220050509: Ylia@:Host: www.zap.co.ilURL P \UST 2Q `h 2d' :2005050220050509: Ylia@https://tlvportal.amdocs.com/prx/00/54xr/3Bp40E7/sS1Be23oaj7zx,/formSUBMIT.aspURL bP \UST 2Q `h 2d' :2005050220050509: Ylia@file:///C:/GetRight/getrt52d.exeURL 0 P 0w[ST Q `h 2d' :2005050220050509: Ylia@:Host: auto.search.msn.comURL G9Q pjST 2 Q `h 2d'
  • 0

#12
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
Copy the part in bold below into notepad and save it as hoffersfix.reg

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{12345678-0000-0010-8000-00AAFF6D2EA4}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D56A1203-1452-EBA1-7294-EE3377770000}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{12345678-0000-0010-8000-00AAFF6D2EA4}"=-
"{D56A1203-1452-EBA1-7294-EE3377770000}"=-

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"=-


Doubleclick that file and confirm you want to merge it with the regsitry.

Reboot and delete:
C:\WINDOWS\SYSTEM32\systr.dll

Post your new HijackThis log.

Regards,
  • 0

#13
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
I can't delete the systr.dll. I get an error: "Cannot delete systr: The specified file is being used by Windows."

There is hijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 22:00:58, on 09/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/162/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: Microsoft WFC Forms Designer - file://C:\PROGRA~1\MICROS~2\VJ98\WFCFORMS.CAB
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://tlvportal.am...w,/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://tlvportal.am.../RemoveCtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

Yulia.
  • 0

#14
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,671 posts
We'll get that sorted. :tazz:

Please download the Killbox.
Now run Killbox by doubleclicking Killbox.exe and select "Delete on Reboot".
Paste this in the Full path to file to delete box
C:\WINDOWS\SYSTEM32\systr.dll


Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot and use the regfile we made again.

Let me know,
  • 0

#15
yuliayu

yuliayu

    Member

  • Topic Starter
  • Member
  • PipPip
  • 10 posts
unfortunately I press delete&backup, not delete on reboot option.
What need I do now?

Here my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 06:54:50, on 10/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\internat.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office\Osa.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/162/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: bho2gr Class - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Image Transfer.lnk = C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\SHDOCVW.DLL
O16 - DPF: Microsoft WFC Forms Designer - file://C:\PROGRA~1\MICROS~2\VJ98\WFCFORMS.CAB
O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://tlvportal.am...w,/setupini.cab
O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://tlvportal.am.../RemoveCtrl.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.amdocs.com,amdocs.com
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe

Thanks,
Yulia.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP