[jakethanless]

Logfile of HijackThis v1.99.1
Scan saved at 19:14:06, on 31/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\apina32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
c:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\Gary Allen\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rjaic.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FF539AEB-0A7D-AC37-9E12-A0854F3ADCBC} - C:\WINDOWS\system32\netix32.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipgw.exe] C:\WINDOWS\system32\ipgw.exe
O4 - HKLM\..\Run: [atlbv32.exe] C:\WINDOWS\system32\atlbv32.exe
O4 - HKLM\..\Run: [apina32.exe] C:\WINDOWS\apina32.exe
O4 - HKLM\..\RunOnce: [ntxy.exe] C:\WINDOWS\ntxy.exe
O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\sdkeh.exe
O4 - HKLM\..\RunOnce: [ntpr.exe] C:\WINDOWS\system32\ntpr.exe
O4 - HKLM\..\RunOnce: [iehv32.exe] C:\WINDOWS\system32\iehv32.exe
O4 - HKLM\..\RunOnce: [crrc32.exe] C:\WINDOWS\system32\crrc32.exe
O4 - HKLM\..\RunOnce: [winqn.exe] C:\WINDOWS\system32\winqn.exe
O4 - HKLM\..\RunOnce: [atllb.exe] C:\WINDOWS\system32\atllb.exe
O4 - HKLM\..\RunOnce: [d3th.exe] C:\WINDOWS\d3th.exe
O4 - HKLM\..\RunOnce: [mfcoq32.exe] C:\WINDOWS\mfcoq32.exe
O4 - HKLM\..\RunOnce: [ipts.exe] C:\WINDOWS\ipts.exe
O4 - HKLM\..\RunOnce: [netxi.exe] C:\WINDOWS\netxi.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-a1.wanad...va/cfs31248.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159494169
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{085FC9B2-BE74-40B1-A426-3E2ABCD5A9B9}: NameServer = 80.225.248.178 80.225.248.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{085FC9B2-BE74-40B1-A426-3E2ABCD5A9B9}: NameServer = 80.225.248.178 80.225.248.186
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iecz32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

[Advertisements]

Hello and welcome to Geeks To Go.

I am UKBiker and will be helping you with this log.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.

• Install Ewido security suite
• Launch Ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Important: You are running HJT from a Temp Directory, You must install and run it as follows, otherwise the backups it creates will be lost.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. Please delete the old copy (including the zip copy) so it can't be used.

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

UKBiker

[ukbiker]

Hello and welcome to Geeks To Go.

I am UKBiker and will be helping you with this log.

Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.

• Install Ewido security suite
• Launch Ewido, there should be an icon on your desktop double-click it.
• The program will prompt you to update click the OK button
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

Important: You are running HJT from a Temp Directory, You must install and run it as follows, otherwise the backups it creates will be lost.

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. Please delete the old copy (including the zip copy) so it can't be used.

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

UKBiker

[jakethanless]

OK UKBiker, I'll get this lot done, many thanks. Later.

[jakethanless]

Hi again UKBiker. Alright, here goes, I hope I got all this right, and thanks again for your time, it's much appreciated.


BitDefender Online Scanner



Scan report generated at: Tue, Jun 07, 2005 - 19:27:10


Scan path: A:\;C:\;D:\;E:\;


Statistics

Time
00:28:56

Files
108773

Folders
3852

Boot Sectors
2

Archives
1413

Packed Files
10235




Results

Identified Viruses
10

Infected Files
310

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
310




Engines Info

Virus Definitions
167203

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP352\A0033819.exe
Infected with: Trojan.Startpage.655

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP352\A0033819.exe
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP352\A0033819.exe
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP380\A0039895.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP381\A0039903.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040093.INI=>:lyfnk:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040093.INI=>:lyfnk:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040093.INI=>:lyfnk:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040093.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040094.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040094.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040094.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040094.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040096.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040096.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040096.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040096.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040097.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040097.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040097.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP387\A0040097.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP391\A0040149.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP391\A0040149.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP391\A0040149.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP391\A0040149.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP392\A0040166.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP392\A0040166.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP392\A0040166.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP392\A0040166.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP393\A0040193.INI=>:wygfz:$DATA
Infected with: Trojan.Downloader.Agent.AN

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP393\A0040193.INI=>:wygfz:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP393\A0040193.INI=>:wygfz:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP393\A0040193.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP395\A0040227.INI=>:ibnwpl:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP395\A0040227.INI=>:ibnwpl:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP395\A0040227.INI=>:ibnwpl:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP395\A0040227.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040266.INI=>:ibnwpl:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040266.INI=>:ibnwpl:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040266.INI=>:ibnwpl:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040266.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040275.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040275.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040275.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP397\A0040275.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini=>:tlthes:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini=>:tlthes:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040296.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini=>:tlthes:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini=>:tlthes:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040310.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040318.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040318.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040318.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040318.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040319.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040319.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040319.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP398\A0040319.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040414.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040414.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040414.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040414.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040424.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040424.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP400\A0040424.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP401\A0040502.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP401\A0040502.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP401\A0040502.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP402\A0040522.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP402\A0040522.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP402\A0040522.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP404\A0040582.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP404\A0040582.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP404\A0040582.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP409\A0041620.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP409\A0041620.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP409\A0041620.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP412\A0041655.INI=>:vthuya:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP412\A0041655.INI=>:vthuya:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP412\A0041655.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041667.ini=>:cyrdib:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041667.ini=>:cyrdib:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041667.ini=>:cyrdib:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041667.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041668.INI=>:zeoklo:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041668.INI=>:zeoklo:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041668.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041691.INI=>:wygfz:$DATA
Infected with: Trojan.Downloader.Agent.AN

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041691.INI=>:wygfz:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041691.INI=>:wygfz:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP413\A0041691.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042749.ini=>:cyrdib:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042749.ini=>:cyrdib:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042749.ini=>:cyrdib:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042749.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042769.INI=>:lyfnk:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042769.INI=>:lyfnk:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042769.INI=>:lyfnk:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042769.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini=>:tlthes:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini=>:tlthes:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042772.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042792.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042832.INI=>:lyfnk:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042832.INI=>:lyfnk:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042832.INI=>:lyfnk:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042832.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042836.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042837.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042840.ini=>:vwrjgw:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042840.ini=>:vwrjgw:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042840.ini=>:vwrjgw:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042840.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042841.INI=>:tlcpd:$DATA
Infected with: Trojan.Downloader.Agent.CD

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042841.INI=>:tlcpd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042841.INI=>:tlcpd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042841.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042843.ini=>:iycwnq:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042843.ini=>:iycwnq:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042843.ini=>:iycwnq:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042843.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042852.INI=>:lyfnk:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042852.INI=>:lyfnk:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042852.INI=>:lyfnk:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042852.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042856.INI=>:olvfdm:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042856.INI=>:olvfdm:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042856.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:tlthes:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:tlthes:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:efokcd:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini=>:efokcd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042857.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP414\A0042861.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042863.ini=>:tegho:$DATA
Infected with: Trojan.Downloader.Agent.BC

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042863.ini=>:tegho:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042863.ini=>:tegho:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042863.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042870.ini=>:nmjdub:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042870.ini=>:nmjdub:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042870.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042872.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:wrdqp:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:wrdqp:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:wrdqp:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:vwrjgw:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:vwrjgw:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini=>:vwrjgw:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042873.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042874.ini=>:ogmkj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042874.ini=>:ogmkj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042874.ini=>:ogmkj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042874.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:zjqtg:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:zjqtg:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:zjqtg:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:tukrw:$DATA
Infected with: Trojan.Downloader.Agent.BC

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:tukrw:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:tukrw:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:jkdmcd:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:jkdmcd:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI=>:jkdmcd:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042875.INI
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:tlthes:$DATA
Infected with: Trojan.Agent.BI

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:tlthes:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:mjhuhj:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:mjhuhj:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:mjhuhj:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:icccs:$DATA
Infected with: Trojan.Downloader.Agent.BQ

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:icccs:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini=>:icccs:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042876.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042878.ini=>:sdrek:$DATA
Infected with: Trojan.Downloader.Agent.BC

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042878.ini=>:sdrek:$DATA
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042878.ini=>:sdrek:$DATA
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042878.ini
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 2)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 16)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 30)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Infected with: JS.Winshow.U

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 46)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Infected with: Trojan.Downloader.Winshow.AK

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Disinfection failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA=>(JAVASCRIPT 191)
Deleted

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini=>:zwecv:$DATA
Updated

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042879.ini
Update failed

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042932.INI=>:zbeck:$DATA
Infected with: Trojan.Downloader.Agent.BC

C:\System Volume Information\_restore{445B889A-9E0A-4FDF-BDBF-2E4666672177}\RP415\A0042932.INI=>:zbeck:$DATA
Disinfection failed

[ukbiker]

hi Jakethanless

thanks for posting the bitdefender log segment. A question if you dont mind,

Did you download and run Ewido? , if so, please post its log next time, if not, please do so.

In your next post, please provide the Ewido scan log and the new HJT logs.

Thanks

UKBiker

[jakethanless]

ewido security suite - Connection report
---------------------------------------------------------

+ Created on: 01:06:46, 08/06/2005
+ Report-Checksum: C8610E44

TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 80.41.143.19:139 0.0.0.0:0 LISTENING
TCP 80.41.143.19:1109 207.46.107.121:1863 ESTABLISHED
TCP 80.41.143.19:1319 213.200.95.126:80 CLOSE_WAIT
TCP 80.41.143.19:1320 213.200.95.126:80 CLOSE_WAIT
TCP 127.0.0.1:10025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445
UDP 0.0.0.0:500
UDP 0.0.0.0:1031
UDP 0.0.0.0:1116
UDP 0.0.0.0:4500
UDP 80.41.143.19:9
UDP 80.41.143.19:123
UDP 80.41.143.19:137
UDP 80.41.143.19:138
UDP 80.41.143.19:1900
UDP 127.0.0.1:123
UDP 127.0.0.1:1030
UDP 127.0.0.1:1110
UDP 127.0.0.1:1140
UDP 127.0.0.1:1900

ewido security suite - Process report
---------------------------------------------------------

+ Created on: 01:06:23, 08/06/2005
+ Report-Checksum: 3A20C43D

0: System Process
4: System Process
160: C:\WINDOWS\SOUNDMAN.EXE
164: C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
172: C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
184: C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
212: C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
428: \SystemRoot\System32\smss.exe
484: \??\C:\WINDOWS\system32\csrss.exe
508: \??\C:\WINDOWS\system32\winlogon.exe
552: C:\WINDOWS\system32\services.exe
564: C:\WINDOWS\system32\lsass.exe
708: C:\WINDOWS\system32\svchost.exe
764: C:\WINDOWS\system32\svchost.exe
820: C:\WINDOWS\System32\svchost.exe
908: C:\WINDOWS\System32\svchost.exe
964: C:\WINDOWS\System32\svchost.exe
1056: C:\WINDOWS\system32\spoolsv.exe
1160: C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
1176: C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
1232: C:\Program Files\ewido\security suite\ewidoctrl.exe
1244: C:\Program Files\ewido\security suite\ewidoguard.exe
1376: C:\WINDOWS\System32\svchost.exe
1700: C:\WINDOWS\Explorer.EXE
1884: C:\WINDOWS\System32\alg.exe
1924: C:\WINDOWS\system32\wscntfy.exe
1956: C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
1968: C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
1984: C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
2008: C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
2852: C:\Program Files\MSN Messenger\msnmsgr.exe
3016: C:\Program Files\Internet Explorer\iexplore.exe
3608: C:\Program Files\ewido\security suite\SecuritySuite.exe

wido security suite - Startup report
---------------------------------------------------------

+ Created on: 01:06:58, 08/06/2005
+ Report-Checksum: 99271E9F

Reg\HKLM\Run AVG7_CC C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
Reg\HKLM\Run AVG7_EMC C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
Reg\HKLM\Run SpeedTouch USB Diagnostics "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
Reg\HKLM\Run SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Reg\HKLM\Run DataLayer C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
Reg\HKLM\Run PCSuiteTrayApplication C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
Reg\HKLM\Run SoundMan SOUNDMAN.EXE
Reg\HKLM\Run ipgw.exe C:\WINDOWS\system32\ipgw.exe
Reg\HKLM\Run atlbv32.exe C:\WINDOWS\system32\atlbv32.exe
Shell\CommonStartup Ulead Photo Express 4.0 SE Calendar Checker .lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Ulead Photo Express 4.0 SE Calendar Checker .lnk

[jakethanless]

Logfile of HijackThis v1.99.1
Scan saved at 19:42:05, on 07/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FF539AEB-0A7D-AC37-9E12-A0854F3ADCBC} - C:\WINDOWS\system32\netix32.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipgw.exe] C:\WINDOWS\system32\ipgw.exe
O4 - HKLM\..\Run: [atlbv32.exe] C:\WINDOWS\system32\atlbv32.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-a1.wanad...va/cfs31248.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159494169
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iecz32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

Adobe Acrobat 5.0
Avance AC'97 Audio
AVG Free Edition
Card Game Classics
CleanUp!
Compton's Interactive Encyclopedia 1999 International
Conexant SoftK56 Modem(M)
ewido security suite
HijackThis 1.99.1
Home Search Assistent
iPhoto Plus 4
J2SE Runtime Environment 5.0 Update 1
Jukebox Management Tool 1.1.3.9
Labtec WebCam
LimeWire 4.8.1
Macromedia Shockwave Player
MD 41084 Manager
Microsoft Money
Microsoft Money System Pack
Microsoft Office PowerPoint Viewer 2003
Microsoft Windows Journal Viewer
Microsoft Works 7.0
MSN Messenger 7.0
Mustek 1200 CP v1.5
Network Play System (Patching)
Nokia Connectivity Cable DKU-2 Drivers
Nokia PC Suite 6.1
PowerDVD
RealPlayer Basic
Search Extender
Shopping Wizard
SigmaTel MSCN Audio Player
Skype™ Beta 0.98
SpeedTouch USB Software
Spybot - Search & Destroy 1.3
TextBridge Classic 2.0
The Sims Livin' it up
The Sims Makin' Magic
Ulead Photo Express 4.0 SE
Viewpoint Media Player (Remove Only)
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB890175
Windows XP Service Pack 2
WinMX

THANKS AGAIN.

[ukbiker]

Hi there Jakethanless

thanks for posting the logs . Would you please now actually run the Ewido application that you have downloaded as per these iinstructions...

You will need to update ewido to the latest definition files.

• On the left hand side of the main Ewido screen click update
• Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

• Click on scanner
• Make sure the following boxes are checked before scanning:
  • Binder
  • Crypter
  • Archives
• Click on Start Scan
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop

After you have done this, please post both the log that Ewido created and you saved to the desktop and a new HJT log. I m sorry to be such a pain, but this infection you have can be a real swine to get rid of if we dont get it absolutely right.

UKBiker

[jakethanless]

Hi again,.....ok, had problems with EWIDO. At 75% complete I got an error message stating that there had been a problem with the security suite and it had to be shut down, consequently I lost all the data, and there were a lot of files that needed cleaning. Anyways, I ran it again and at about the same point my computer shut down and re-booted with a message that the computer had recovered from a serious problem. I decided not to try it again, but here is the new HiJackThis log....is it me or do computers hate me? thanx again

Logfile of HijackThis v1.99.1
Scan saved at 19:30:56, on 08/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jpvdf.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {FF539AEB-0A7D-AC37-9E12-A0854F3ADCBC} - C:\WINDOWS\system32\netix32.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipgw.exe] C:\WINDOWS\system32\ipgw.exe
O4 - HKLM\..\Run: [atlbv32.exe] C:\WINDOWS\system32\atlbv32.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-a1.wanad...va/cfs31248.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159494169
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iecz32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

[ukbiker]

Hi there jakethanless.

Dont worry about the Ewido problems, the Computer doesnt hate you, its the bug that hates Ewido!

Ok, I will have to do a bit more research into your log and programmes list then I will post the fix.

We will get this sorted.

UKBiker

[ukbiker]

Hi there Jakethanless

There are a couple of ways to get this infection cleaned, some are frankly easier than others, so lets try the easy way first


You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

• Download and prepare CWShredder for use:
  • Download CWShredder.
  • Save CWShredder.exe to a convenient location.
  • Please do not do anything with it yet.
• Download and prepare AboutBuster for use:
  • Download AboutBuster.
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update".
  • You must not run the program yet so click "Exit".
• Download and prepare cwsserviceremove.reg for use:
  • Download cwsserviceremove.zip.
  • Unzip the contents of cwsserviceremove.zip (cwsserviceremove.reg) to your desktop.
  • Please do not do anything with it yet.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Your System Restore backups are infected, as a result we need to purge them by turning off System restore. To do this go -

Start>control panel.>choose the System icon>system restore, then check the box to disable it.


Boot into Safe Mode:
To do this, Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

When you are in safe Mode, carry out the following instructions

• Run CWShredder:
  • Double-click on CWShredder.exe.
  • Click "Fix ->" and click "OK" at the prompt.
  • CWShredder will scan and clean your system of CWS files.
  • Click "Next->" and then "Exit".
• Remove the offending service:
  • Double-click on cwsserviceremove.reg you downloaded earlier.
  • When it asks you to merge the information to the registry click "Yes".
• Run AboutBuster and save the logs:
  • Browse to where you saved AboutBuster and run AboutBuster.exe.
  • Click OK at the directions prompt.
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I need a copy of it.
• Clean out temporary files:
  • Start | Run | type cleanmgr | OK
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
• Restart your computer normally to return to normal mode.
• Free TrendMicro Housecall scan:
  • Vist the TrendMicro Housecall website.
  • Select your country from the drop-down list and click "Go".
  • Choose "Yes" at the ActiveX Security Warning prompt.
  • Please wait while the Housecall engine is updated.
  • Select the drives to be scanned by placing a check in their respective boxes.
  • Check the "Auto Clean" box.
  • Click "SCAN" in order to begin scanning your system.
  • Please be patient while Housecall scans your system for malicious files.
  • If not auto-cleaned, remove anything it finds.
  • Click "Close" to exit the Housecall scanner.
  • Choose "Yes" at the HouseCall message prompt.
• Prepare your reply:
  • Please post a fresh HijackThis log
  • Please post the AboutBuster log.
  • Please note any complications you had.

If we dont get it with this one, dont worry, we will nail this little swine.

UKBiker

Edited by ukbiker, 08 June 2005 - 04:08 PM.

[jakethanless]

Many,many thanx, once again..i'm on it

[jakethanless]

Hi again UKBiker, OK, all done...correctly i hope. The only complication I have noticed is that my pc is now running very slowly. Anyways, here's the logs. Many thanks.

Logfile of HijackThis v1.99.1
Scan saved at 20:42:28, on 12/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Class - {FF539AEB-0A7D-AC37-9E12-A0854F3ADCBC} - C:\WINDOWS\system32\netix32.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipgw.exe] C:\WINDOWS\system32\ipgw.exe
O4 - HKLM\..\Run: [atlbv32.exe] C:\WINDOWS\system32\atlbv32.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 3.1.0.248 - http://chat-a1.wanad...va/cfs31248.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.31.7.116/Java/cfs40320.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103159494169
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iecz32.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe

AboutBuster 5.0 reference file 30
Scan started on [12/06/2005] at [19:46:16]
------------------------------------------------
Removed Stream! C:\WINDOWS\ACROGRAF.INI:yyixie
Removed Stream! C:\WINDOWS\ACROREAD.INI:qruiom
Removed Stream! C:\WINDOWS\antpl.txt:iknnqp
Removed Stream! C:\WINDOWS\antpl.txt:jztdco
Removed Stream! C:\WINDOWS\axvwo.dat:bamiez
Removed Stream! C:\WINDOWS\bheck.txt:tlqgmj
Removed Stream! C:\WINDOWS\BICYCLE.INI:pokwow
Removed Stream! C:\WINDOWS\Big8Sol(3).ini:scpcmv
Removed Stream! C:\WINDOWS\Big8Sol.ini:abvjyd
Removed Stream! C:\WINDOWS\biqbd.txt:swrwqx
Removed Stream! C:\WINDOWS\Blue Lace 16.bmp:scnpaf
Removed Stream! C:\WINDOWS\bootstat.dat:ddbmii
Removed Stream! C:\WINDOWS\cgkio.log:kdyuvq
Removed Stream! C:\WINDOWS\chipset.log:ddrzxa
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:puvgh
Removed Stream! C:\WINDOWS\djkue.dat:hcmul
Removed Stream! C:\WINDOWS\DogsOWar.INI:caqixn
Removed Stream! C:\WINDOWS\EA.INI:leawct
Removed Stream! C:\WINDOWS\EP.INI:eetjev
Removed Stream! C:\WINDOWS\eReg.dat:gclgok
Removed Stream! C:\WINDOWS\ES.INI:wfdozg
Removed Stream! C:\WINDOWS\essol.txt:rabqcl
Removed Stream! C:\WINDOWS\exfpr.dat:tfzkiu
Removed Stream! C:\WINDOWS\exjny.dat:ovharz
Removed Stream! C:\WINDOWS\EZLANG.INI:hgwttq
Removed Stream! C:\WINDOWS\FaxSetup.log:jstvfv
Removed Stream! C:\WINDOWS\FeatherTexture.bmp:aqlzq
Removed Stream! C:\WINDOWS\FS(2).INI:trves
Removed Stream! C:\WINDOWS\FS(3).INI:trves
Removed Stream! C:\WINDOWS\FUNCRD.INI:yiylhb
Removed Stream! C:\WINDOWS\Gemstorm(2).ini:lkorn
Removed Stream! C:\WINDOWS\Gemstorm(3).ini:lkorn
Removed Stream! C:\WINDOWS\Gemstorm.ini:umgfyq
Removed Stream! C:\WINDOWS\Greenstone.bmp:jkbwdo
Removed Stream! C:\WINDOWS\grfir.log:elgxp
Removed Stream! C:\WINDOWS\hfhrb.log:ffrxvl
Removed Stream! C:\WINDOWS\ibxgg.log:sxleub
Removed Stream! C:\WINDOWS\ikdfg.log:gzxxrg
Removed Stream! C:\WINDOWS\imsins.log:lyejwl
Removed Stream! C:\WINDOWS\IMSI_EZN.INI:dropqw
Removed Stream! C:\WINDOWS\IMSI_EZN.INI:wnbmjg
Removed Stream! C:\WINDOWS\iycwn.txt:vrhuty
Removed Stream! C:\WINDOWS\jautoexp.dat:ontrdr
Removed Stream! C:\WINDOWS\jrxmz.log:hoexft
Removed Stream! C:\WINDOWS\KB834707-IE6-20040929.115007.log:xeqwtp
Removed Stream! C:\WINDOWS\KB840987.log:hfiboa
Removed Stream! C:\WINDOWS\KB842773.log:agboqk
Removed Stream! C:\WINDOWS\KB890175.log:yyvyqp
Removed Stream! C:\WINDOWS\knrdu.dat:imwzlh
Removed Stream! C:\WINDOWS\kssah.log:sklmud
Removed Stream! C:\WINDOWS\kvjun.txt:izodsr
Removed Stream! C:\WINDOWS\lampron.ini:bnpfns
Removed Stream! C:\WINDOWS\llfix.dat:dfufut
Removed Stream! C:\WINDOWS\lnsvq.dat:bahqmc
Removed Stream! C:\WINDOWS\MAGICWRD.INI:vymkow
Removed Stream! C:\WINDOWS\mmric.txt:tbrwpm
Removed Stream! C:\WINDOWS\MSCHOMP(2).INI:qyhsap
Removed Stream! C:\WINDOWS\MSCHOMP(5).INI:aqrxuz
Removed Stream! C:\WINDOWS\MSCHOMP(5).INI:thlcog
Removed Stream! C:\WINDOWS\MSCHOMP.INI:wiqusm
Removed Stream! C:\WINDOWS\MSDraw(2).ini:didirj
Removed Stream! C:\WINDOWS\MSDraw(3).ini:jpouw
Removed Stream! C:\WINDOWS\MSDraw(4).ini:jpouw
Removed Stream! C:\WINDOWS\MSDraw(4).ini:oiihmx
Removed Stream! C:\WINDOWS\MSDraw(4).ini:oqpowx
Removed Stream! C:\WINDOWS\MSDraw(5).ini:jpouw
Removed Stream! C:\WINDOWS\MSDraw(5).ini:wjwnlt
Removed Stream! C:\WINDOWS\msgsocm.log:ezxsm
Removed Stream! C:\WINDOWS\msgsocm.log:hjbmoh
Removed Stream! C:\WINDOWS\msnavpklog.txt:sdoagj
Removed Stream! C:\WINDOWS\msnsetuplog.txt:cqyhq
Removed Stream! C:\WINDOWS\msnsetuplog.txt:okgand
Removed Stream! C:\WINDOWS\NimSim.ini:cdgfat
Removed Stream! C:\WINDOWS\ocgen.log:frksm
Removed Stream! C:\WINDOWS\ocmsn.log:udbxds
Removed Stream! C:\WINDOWS\opmtq.txt:eemdfc
Removed Stream! C:\WINDOWS\Patolli.INI:untiof
Removed Stream! C:\WINDOWS\POGO(2).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(2).INI:wfeize
Removed Stream! C:\WINDOWS\POGO(3).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(5).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(5).INI:pyxvup
Removed Stream! C:\WINDOWS\POGO(6).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(6).INI:tlcpd
Removed Stream! C:\WINDOWS\POGO(6).INI:xpxbka
Removed Stream! C:\WINDOWS\POGO(8).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(9).INI:kjklx
Removed Stream! C:\WINDOWS\POGO(9).INI:qppgnc
Removed Stream! C:\WINDOWS\PROBACK.INI:iqilhm
Removed Stream! C:\WINDOWS\PYROWARE.ini:ptgdtw
Removed Stream! C:\WINDOWS\Q308387.log:hmrqwg
Removed Stream! C:\WINDOWS\Q312368.log:znkvqi
Removed Stream! C:\WINDOWS\Q315000.log:uajyiq
Removed Stream! C:\WINDOWS\Q315403Uninst.log:cobbz
Removed Stream! C:\WINDOWS\Q316134.log:fwaaw
Removed Stream! C:\WINDOWS\Q316134.log:matdca
Removed Stream! C:\WINDOWS\Q316134Uninst.log:lhliif
Removed Stream! C:\WINDOWS\Q329115.log:ebmied
Removed Stream! C:\WINDOWS\Q329115.log:eieoch
Removed Stream! C:\WINDOWS\Q329441.log:hblhkw
Removed Stream! C:\WINDOWS\Q810577.log:krksmg
Removed Stream! C:\WINDOWS\Q810833.log:hbhgyc
Removed Stream! C:\WINDOWS\Q817606.log:csdfor
Removed Stream! C:\WINDOWS\qgeip.dat:dcsgxz
Removed Stream! C:\WINDOWS\QTW.INI:wymtkk
Removed Stream! C:\WINDOWS\regopt.log:vtwlit
Removed Stream! C:\WINDOWS\River Sumida.bmp:ftgqkd
Removed Stream! C:\WINDOWS\setupapi.log:dfomqu
Removed Stream! C:\WINDOWS\setuperr.log:jeaowb
Removed Stream! C:\WINDOWS\setuperr.log:xxriq
Removed Stream! C:\WINDOWS\setuperr.log:zmwgj
Removed Stream! C:\WINDOWS\setuplog.txt:oghrsw
Removed Stream! C:\WINDOWS\simpleplanB_800.bmp:azuam
Removed Stream! C:\WINDOWS\smscfg.ini:ghaxmh
Removed Stream! C:\WINDOWS\spuninst.log:npkpbd
Removed Stream! C:\WINDOWS\spuninst.log:yakkpr
Removed Stream! C:\WINDOWS\ssonu.txt:fqcudf
Removed Stream! C:\WINDOWS\Sti_Trace.log:goyvxz
Removed Stream! C:\WINDOWS\switchagreement.txt:yrnaxq
Removed Stream! C:\WINDOWS\TANTRIX.INI:rqjfut
Removed Stream! C:\WINDOWS\Tasho(2).INI:kimwzv
Removed Stream! C:\WINDOWS\Tasho(3).INI:nzxqgg
Removed Stream! C:\WINDOWS\tb96.ini:cixbtf
Removed Stream! C:\WINDOWS\tb96.ini:jiutww
Removed Stream! C:\WINDOWS\toeuf.dat:cjnyqg
Removed Stream! C:\WINDOWS\tsoc.log:pzzlu
Removed Stream! C:\WINDOWS\tsoc.log:vjqpvi
Removed Stream! C:\WINDOWS\ujxwz.txt:jgcxiz
Removed Stream! C:\WINDOWS\vb(2)(2).ini:stvjs
Removed Stream! C:\WINDOWS\vb(2)(2).ini:zwecv
Removed Stream! C:\WINDOWS\vb(2).ini:zwecv
Removed Stream! C:\WINDOWS\vb(3).ini:zwecv
Removed Stream! C:\WINDOWS\vb(4)(2).ini:dzjgnz
Removed Stream! C:\WINDOWS\vb(4).ini:dzjgnz
Removed Stream! C:\WINDOWS\vb(4).ini:ejinvw
Removed Stream! C:\WINDOWS\vb(5)(2).ini:lunom
Removed Stream! C:\WINDOWS\vb(5)(2).ini:zwecv
Removed Stream! C:\WINDOWS\vb(5).ini:zwecv
Removed Stream! C:\WINDOWS\vb.ini:pkbtpz
Removed Stream! C:\WINDOWS\vbaddin.ini:vabthc
Removed Stream! C:\WINDOWS\Viewer.ini:hltyjj
Removed Stream! C:\WINDOWS\vminst.log:oauybm
Removed Stream! C:\WINDOWS\WATCH.INI:zymgkz
Removed Stream! C:\WINDOWS\WBLOCKER.INI:zledmt
Removed Stream! C:\WINDOWS\Wgid.ini:szflek
Removed Stream! C:\WINDOWS\wiaservc.log:rnwiam
Removed Stream! C:\WINDOWS\win.ini:bctlim
Removed Stream! C:\WINDOWS\WIN16EX_.Z@2:bvxcqd
Removed Stream! C:\WINDOWS\WIN16EX_.Z@5:jopwcp
Removed Stream! C:\WINDOWS\WIN31EX_.Z@4:tdmrdp
Removed Stream! C:\WINDOWS\Windows Update.log:bpzbxz
Removed Stream! C:\WINDOWS\WindowsUpdate.log:mdewfz
Removed Stream! C:\WINDOWS\WINHELP.BMK:mxamnp
Removed Stream! C:\WINDOWS\winnt.bmp:eepbzk
Removed Stream! C:\WINDOWS\winnt256.bmp:fytsha
Removed Stream! C:\WINDOWS\WORDPAD(2).INI:iesvnz
Removed Stream! C:\WINDOWS\WSQUARE.INI:afdahk
Removed Stream! C:\WINDOWS\XCGC.INI:tgvnbu
Removed Stream! C:\WINDOWS\yncqo.dat:lyotdx
Removed Stream! C:\WINDOWS\yvfmi.txt:mpncrf
Removed Stream! C:\WINDOWS\~GLC0001.TMP:balogk
------------------------------------------------
Removed File! : C:\Windows\aaspy.dat
Removed File! : C:\Windows\dmsgd.dat
Removed File! : C:\Windows\evzel.dat
Removed File! : C:\Windows\exfpr.dat
Removed File! : C:\Windows\exjny.dat
Removed File! : C:\Windows\fmbwm.dat
Removed File! : C:\Windows\fqgmm.dat
Removed File! : C:\Windows\fywsl.dat
Removed File! : C:\Windows\hpmch.dat
Removed File! : C:\Windows\kfbzs.dat
Removed File! : C:\Windows\llfix.dat
Removed File! : C:\Windows\ngwxf.dat
Removed File! : C:\Windows\niuyt.dat
Removed File! : C:\Windows\onagn.dat
Removed File! : C:\Windows\syswk32.exe
Removed File! : C:\Windows\uxdtq.dat
Removed File! : C:\Windows\wymtk.dat
Removed File! : C:\Windows\xrzro.dat
Removed File! : C:\Windows\ywylh.dat
Removed File! : C:\Windows\zddsv.dat
Removed File! : C:\Windows\zeaxr.dat
Removed File! : C:\Windows\System32\atltj.exe
Removed File! : C:\Windows\System32\cooct.dat
Removed File! : C:\Windows\System32\d3vd32.exe
Removed File! : C:\Windows\System32\esedh.dat
Removed File! : C:\Windows\System32\gesoj.dat
Removed File! : C:\Windows\System32\hqezs.dat
Removed File! : C:\Windows\System32\iekw.exe
Removed File! : C:\Windows\System32\ipfi32.exe
Removed File! : C:\Windows\System32\kfdin.dat
Removed File! : C:\Windows\System32\ntgz32.exe
Removed File! : C:\Windows\System32\ntmn.exe
Removed File! : C:\Windows\System32\seruy.dat
Removed File! : C:\Windows\System32\ulxlq.dat
Removed File! : C:\Windows\System32\uytsl.dat
Removed File! : C:\Windows\System32\vnlmx.dat
Removed File! : C:\Windows\System32\vrmxn.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 19:47:09

[ukbiker]

Hi There Jakethanless.

Ok, we managed to get rid of some things but not others. I did warn you it would be a pig to get rid of this one . Dont worry about the slow running of your PC at the moment, when we get clean, it will be Much better.

Ok, here is the next part of the fix, again, please print out the instructions etc...

Please download and install these programs - don't run them yet!!



Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.



Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

+++++++++++++++++++++++++++++++++++++++++++++++++

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Remote Procedure Call (RPC) Helper <<< Make sure that the service is titled "Remote Procedure Call (RPC) Helper"


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:


atlbv32.exe
ipgw.exe


If you find the files, click on them, and then click End Process => Exit the Task Manager.


4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following,

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Class - {FF539AEB-0A7D-AC37-9E12-A0854F3ADCBC} - C:\WINDOWS\system32\netix32.dll (file missing)
O4 - HKLM\..\Run: [ipgw.exe] C:\WINDOWS\system32\ipgw.exe
O4 - HKLM\..\Run: [atlbv32.exe] C:\WINDOWS\system32\atlbv32.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\iecz32.exe (file missing

then click "Fix Checked"

5. Delete the following files if present using windows explorer:
If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.
C:\WINDOWS\system32\iecz32.exe
C:\WINDOWS\system32\atlbv32.exe
C:\WINDOWS\system32\ipgw.exe
C:\WINDOWS\system32\netix32.dll

(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - netix32.exe, iecz32.dll, ipgw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say "yes".

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.


12. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"


13. Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did,


UKBiker with thanks to "Mr C"

[jakethanless]

Once again, thank you...and thanks to Mr C too. Later