Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Can't remove SpySheriff (and others?) [CLOSED]


  • This topic is locked This topic is locked

#16
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi,

Well that didn't work. When I ran the HJT log, and checked those items you asked me to, everything was checked and fixed except for:

O4 - HKLM\..\Run: [secboot] C:\windows\System32\mszx23.exe !!
(WAS NOT THERE)

When I went through the other deletions you requested, the following happened:

Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

c:\windows\system32\mdms.exe (Access denied)
C:\windows\System32\sapkepyn.exe (deleted)
c:\Program Files\Internet Explorer\shttps<===Folder (deleted)
C:\windows\msmsgr2.exe (was not there)
C:\windows\System32\mszx23.exe !! (In use by another program, close the other program and try again)
C:\winstall.exe (deleted)
C:\Apps\Goldmine\gmw6.exe (I don't want to delete this one, it's a legitimate customer management database that we use for my business - it's legit and I don't want to lose everything)
C:\windows\SYSTEM32\drct16.dll (In use by another program, close the other program and try again)
C:\windows\SYSTEM32\tcpG4T.dll (Access denied, full or write protected)
c:\program files\common files\microsoft shared\dao<===Folder (deleted)



Heres the latest HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 8:10:11 AM, on 8/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\windows\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\windows\essspk.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\windows\soundman.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2.tmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1.tmp.exe
C:\windows\System32\bcmwltry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\System32\mszx23.exe
C:\Program Files\Messenger\msmsgs.exe
C:\windows\System32\ctfmon.exe
C:\windows\System32\RUNDLL32.EXE
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\windows\tool2.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D.tmp.exe
C:\windows\System32\rundll32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E.tmp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16.tmp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17.tmp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\windows\System32\wuauclt.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\clbnbqxqnw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SNInstall] C:\windows\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: drct16 - C:\windows\SYSTEM32\drct16.dll
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: CWShredder Service - Unknown owner - A:\CWShredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Hope you can help,

Do you think it will help if we install Norton's Anti Spyware, Anti Virus, Internet Security program?

Thanks
  • 0

Advertisements


#17
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Do not have 2 AVs running on your system at the same time.

Your system has been severely hijacked by a virus/trojan of the Haxdoor family that steals passwords and everything else. Watch your database and everything else on your computer for confidential matter. I would limit my use of this computer until the problem is eradicated.

This is a new trojan for which there is but little info out there. Trend Micro offers a removal method that I must ask you to try. Apparently, if not done properly, this trojan just comes right back after deletion. We saw that.

Here is the link to the removal method: http://www.trendmicr...OOR.BN&VSect=Sn

After you have completed these steps, please repost a fresh HJT log and we will continue the cleanup.

Regards,

Trevuren

  • 0

#18
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Trevuren,

I did everything the file suggested by Trend Micro. There were a number of files they asked me to try and delete that weren't on my computer in the first place. Also, when doing the registry changes, there were a number of files and things they suggested to delete which were there, particularly of note was the mszx23.exe which was not there? ( I thought that was the virus/error that I had???)

I ran the Trend Micro Scan online and it picked up a number of viruses, nothing relating to "bkdr.haxdoor.bn" at all though and no trojans?

I've posted the new HJT log below for you!

Logfile of HijackThis v1.99.1
Scan saved at 1:10:56 PM, on 8/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\sdrxixfl.exe
O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SNInstall] C:\windows\tool2.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: drct16 - C:\windows\
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: CWShredder Service - Unknown owner - A:\CWShredder.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

#19
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Nice work arbo

They claim to be able to kill that version of Haxdoor trojan (some call it a virus). By your log, they are incorrect.

This is a problem. Cases similar to yours have been popping up for about a week now and all of us are having a really hard time killing it. I have messages out to the other malware fighters in our forum for assistance but have yet to get a reply.

When I see the calibre of malware fighter not succeeding against this it does not bode well for a rapid resolution.

I repeat: This trojan steals passwords and leaves your system wide open to data theft of all kind while you are online. BEWARE. You may halready have become a victim.

By the way, I think it got the first file. The second one is the stealth component of the infection and that is proving to be harder.

++++++++++++++++++++++++++++++++++++++++++

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\sdrxixfl.exe
    O4 - HKLM\..\Run: [SysMemory manager] c:\windows\system32\mdms.exe
    O4 - HKCU\..\Run: [SNInstall] C:\windows\tool2.exe
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O20 - Winlogon Notify: drct16 - C:\windows\
    O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll


  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode
    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    C:\windows\System32\sdrxixfl.exe
    c:\windows\system32\mdms.exe
    C:\windows\tool2.exe
    C:\winstall.exe
    C:\windows\SYSTEM32\tcpG4T.dll

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.
Regards,

Trevuren

  • 0

#20
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi mate,

Thanks for being so committed! This thing is driving me nuts!

Would it make any difference if i reformatted the hard drive and reinstalled windows and all the program back onto the computer? I know its like throwing the baby out with the bath water but this is driving me crazy! We were shutting down the system before and a white screen came up with bright red writing saying "Oops, you need to click here to close this page", obviously, we didn't, we just shut down the pc from the power point.

I have been able to transfer our my docs and other important information (our goldmine databases and financial programs), do you think these will be infected if we reloaded them and started it all from scratch?

In the meantime, i'll try your next fix until I hear from you again?

(almost your bedtime soon??)

Thanks
Arbo
  • 0

#21
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Ok ,

We did what you asked, the following exceptions though:

In windows explorer - C:\winstall.exe was not there and c:\windows\system32\tcpG4t.dll was in use - access denied.

Also, when started up in normal mode, came up with white background with a triangle & ! in it, with writing that said - desktop recovery - with a button that says "restore active desktop" - obviously didn't click it.

Here's the latest

Logfile of HijackThis v1.99.1
Scan saved at 2:24:26 PM, on 8/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\windows\essspk.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\windows\soundman.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\windows\System32\bcmwltry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\windows\System32\ctfmon.exe
C:\windows\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3.tmp.exe
C:\windows\System32\rundll32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~29.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~30.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~33.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~37.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~31.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~32.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~36.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~34.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~35.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~38.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~39.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3C.tmp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~40.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~46.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~41.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~45.tmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~48.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~43.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~44.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~47.tmp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jucheck.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~49.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~42.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~51.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~54.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~52.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~50.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~53.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~58.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~59.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~56.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~57.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~63.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~61.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~60.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~65.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~64.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~71.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~78.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~70.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~79.tmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~80.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~82.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~81.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~83.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~90.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~91.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~88.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~BC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~BA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~BF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D8.tmp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~101.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~100.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~102.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~103.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~108.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~105.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~104.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~107.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~109.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~110.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~112.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~115.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~117.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~118.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~119.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~121.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~124.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~120.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~128.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~126.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~127.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~130.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~131.tmp.exe
C:\windows\System32\wuauclt.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~132.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~138.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~136.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~137.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~139.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~135.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~140.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~144.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~143.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~142.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~14F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~150.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~151.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~152.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~153.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~157.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~156.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~159.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~155.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~154.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~160.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~158.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~164.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~166.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~165.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~175.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~177.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~169.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~170.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~171.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~172.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~173.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~180.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~181.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~185.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~187.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~186.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~192.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~189.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~191.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~195.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~196.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~190.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~193.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~194.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~201.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~203.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~202.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~200.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~219.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~220.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~218.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~217.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~224.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~221.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~223.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~222.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~225.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~232.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~234.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~237.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~233.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~242.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~240.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~241.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~243.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~246.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~244.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~247.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~249.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~260.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~261.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~263.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~262.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~266.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~267.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~264.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~265.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~274.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~275.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~277.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27A.tmp.exe
C:\windows\System32\wuauclt.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\gekhjxkvyqyjo.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: CWShredder Service - InterMute, Inc. - A:\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

#22
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Can't sleep. This is bothering me. You too for sure.

To answer your question: I don't think your data will be infected and a reformat/reinstall would clear it up. I hate giving in to those rats that do this to people but people also have to be practical. You have a business to run. You have my support in any decision you make. It's your computer and livelyhood.

I am still going to research this to death, but that's my problem.

1. Please run Hoster again.

2. REBOOT into Safe Mode.
  • Locate the following file: C:\windows\SYSTEM32\tcpG4T.dll
  • Try and DELETE the file
  • If access is denied again, right-click on the file anc check the Properties. Make sure that all attributes are not checked, and attempt to Delete the file once more
  • Reboot your system

    3. Download the .exe format of Cleanup by Steven Gould from :HERE[list]
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • Finally click "CleanUp"
The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.

Regards, Trevuren
  • 0

#23
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Download "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in tcpG4T.dll, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

The output log will not be saved automatically, and it tells the user that. :tazz: [/QUOTE]


Trevuren

Edited by Trevuren, 08 August 2005 - 09:59 AM.

  • 0

#24
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks for the feedback earlier.
I do need to make a decision as to whether this is working or not, but I am happy to hang in there a little longer to sort this out (not particularly impressed with the idea of having to start again, but then who would be).

I did all of the above.

We couldn't delete the tcpG4T.dll file (again) - both attributes were unchecked at the time. Rebooted, but whenever I reboot in normal mode, it slows and slows and slows then reboots after about 2-3 minutes. So I rebooted in safe mode again and did the cleanup (saved myself 177MB of temp files!)

Then we did the regsearch for you - it took 18 seconds and said "No instances of "tcpG4T.dll" found"

Back to you capt'n!

:tazz:
  • 0

#25
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please provide a fresh HJT log


Trevuren
  • 0

Advertisements


#26
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Here is a procedure explained by Grinler that may provide some positive results in our case:
  • Download and extract the Autoruns programs by Sysinternals to C:\Autoruns

  • Reboot into Safe Mode so that the malware is not started when you are doing these steps. Many malware monitor the keys that allow them to start and if they notice they have been removed, will automatically replace that startup key. For this reason booting into safe mode allows us to get past that defense in most cases.

  • Navigate to the C:\Autoruns folder you created in Step 1 and double-click on autoruns.exe.
  • When the program starts, click on the Options menu and enable the following options by clicking on them. This will place a checkmark next to each of these options.
    • Include empty locations
    • Verify Code Signatures
    • Hide Signed Microsoft Entries
  • Then press the F5 key on your keyboard to refresh the startups list using these new settings.

  • The program shows information about your startup entries in 8 different tabs. For the most part, the filename you are looking for will be found under the Logon or the Services tabs, but you should check all the other tabs to make sure they are not loading elsewhere as well. Click on each tab and look through the list for the filename that you want to remove. The filename will be found under the Image Path column. There may be more than one entry associated with the same file as it is common for malware to create multiple startup entries. It is important to note that many malware programs disguise themselves by using the same filenames as valid Microsoft files. it is therefore important to know exactly which file, and the folder they are in, that you want to remove. You can check our Startup Database for that information or ask for help in our forums.

  • Once you find the entry that is associated with the malware, you want to delete that entry so it will not start again on the next reboot. To do that right click on the entry and select delete. This startup entry will now be removed from the Registry.


  • Now that we made it so it will not start on boot up, you should delete the file using My Computer or Windows Explorer. If you can not see the file, it may be hidden.

  • When you are finished removing the malware entries from the Registry and deleting the files, reboot into normal mode and post a fresh HJT log for review.
Regards,

Trevuren

  • 0

#27
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Heres the first HJT log you requested. I'll try the other things you suggested now:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:07 AM, on 9/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: CWShredder Service - InterMute, Inc. - A:\CWShredder.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

#28
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi Treveuren,

Well, I ran the Autoscan you asked, but that tcpG4t.dll was not there.
When I load in normal mode, it just starts slowing and slowing, then eventually it reboots. I managed to get this off it though before it slowed too much:

Logfile of HijackThis v1.99.1
Scan saved at 10:01:15 AM, on 9/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\windows\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\windows\essspk.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1.tmp.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2.tmp.exe
C:\windows\soundman.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3.tmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7.tmp.exe
C:\windows\System32\bcmwltry.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9.tmp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F.tmp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11.tmp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~14.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17.tmp.exe
C:\windows\System32\ctfmon.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18.tmp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\windows\System32\rundll32.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~29.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~30.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~32.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~31.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~33.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~34.tmp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~37.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~39.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~38.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~44.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~41.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~42.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~40.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~43.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~48.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~49.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4A.tmp.exe
C:\windows\System32\wuauclt.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~52.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~57.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~54.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~55.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~60.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~61.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5D.tmp.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~63.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~62.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~67.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~64.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~68.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~65.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~66.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~77.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~79.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~76.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~78.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~69.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~75.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~83.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~82.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~94.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~91.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~93.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~99.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~95.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~90.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~97.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~98.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~BF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~106.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~100.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~105.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~102.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~101.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~119.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~118.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~117.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~120.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~121.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~122.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~124.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~123.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~125.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~131.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~132.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~133.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~134.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~137.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~138.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~136.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~135.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~139.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~151.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~149.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~147.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~153.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~157.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~154.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~158.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~155.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~156.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~162.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~159.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~160.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~161.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~169.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~176.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~178.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~175.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~177.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~179.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~186.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~180.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~188.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~181.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~182.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~184.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~190.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~199.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~197.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~194.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~193.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~191.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~195.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~196.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~198.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~192.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1FF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~207.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~213.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~217.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~214.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~215.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~216.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~219.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~212.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~211.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~218.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~223.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~226.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~233.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~230.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~232.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~231.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~242.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~243.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~245.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~244.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~246.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~250.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~251.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~255.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~252.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~256.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~254.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~257.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~253.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~265.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~267.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~268.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~269.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~270.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~274.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~275.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~278.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~279.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~277.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~280.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~283.tmp.exe
C:\windows\System32\wuauclt.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\fgsccxw.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0

#29
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please do the following:

1. Run CLEANUP again.

2. UNINSTALL through Add/Remove programs Winfixer 2005.

3. Reboot your system

4. Post a fresh HJT log


Regards,.

Trevuren

  • 0

#30
arbo

arbo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi there,

I ran the clean up - i noticed it kept saying "in use - will be deleted" for a lot of the temp files.

I went to add/remove programs (but it said, there was an error "the program may already be removed - do I want to delete it from the Add/remove programs list?"
I clicked ok.

Heres the new logLogfile of HijackThis v1.99.1
Scan saved at 10:43:33 AM, on 9/08/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\csrss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\windows\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\PROGRA~1\MediaKey\MediaKey.EXE
C:\windows\essspk.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3.tmp.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\windows\soundman.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4.tmp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9.tmp.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A.tmp.exe
C:\windows\System32\bcmwltry.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B.tmp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F.tmp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~10.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~14.tmp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17.tmp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1D.tmp.exe
C:\windows\System32\fgsccxw.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~26.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~23.tmp.exe
C:\windows\System32\ctfmon.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~36.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~32.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~34.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~33.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~30.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~37.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~31.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~29.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~2F.tmp.exe
C:\windows\System32\rundll32.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~38.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~39.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~48.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~43.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~45.tmp.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\windows\System32\wuauclt.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~42.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~46.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~44.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~40.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~53.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~41.tmp.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~54.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~4F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~47.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~3F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~51.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~55.tmp.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~67.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~63.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~64.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~66.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~60.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~65.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~61.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~62.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~69.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~6B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~77.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~78.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~79.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~83.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~84.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~82.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~86.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~80.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~85.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~81.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~7C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~98.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~95.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~93.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~97.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~94.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~99.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~9D.tmp.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~A5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~B0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~AE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~C9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~CC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~DD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~D1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~E6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~ED.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~F3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~EF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~101.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~102.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~FE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~100.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~116.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~114.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~115.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~118.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~119.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~117.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~120.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~11F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~12F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~121.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~122.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~123.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~135.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~136.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~138.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~139.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~137.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~144.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~143.tmp.exe
C:\windows\System32\wuauclt.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~140.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~142.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~145.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~13F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~149.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~14C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~14A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~152.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~155.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~163.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~154.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~15A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~158.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~161.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~165.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~167.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~164.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~159.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~166.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~168.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~170.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~172.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~171.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~16F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~179.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~180.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~183.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~184.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~181.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~185.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~186.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~182.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~187.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~17C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~188.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~191.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~18C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~19F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1AC.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1A8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1B9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1BD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1CB.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1C9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E1.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DD.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E2.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DF.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E6.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1DE.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E4.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1EA.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E9.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E0.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E7.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E3.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E5.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~1E8.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~208.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~209.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~205.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~207.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~20C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~206.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~21F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~212.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~211.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~223.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~224.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~227.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~226.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~231.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~232.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~229.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~234.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~235.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~22E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~230.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~242.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~236.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~244.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~245.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~246.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~249.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~248.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~247.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~24C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~252.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~254.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~255.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~253.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~256.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~258.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~259.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~25F.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~260.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~262.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~261.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~264.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~265.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~266.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~272.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~274.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~277.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~278.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~279.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27A.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~27E.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~280.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~281.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~283.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~282.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~284.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~285.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~286.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~287.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~289.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28B.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28C.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28D.tmp.exe
C:\DOCUME~1\SOVERE~1\LOCALS~1\Temp\~28F.tmp.exe

O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [MediaKey] C:\PROGRA~1\MediaKey\MediaKey.EXE
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\wfx5.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [hqqxoash] C:\windows\System32\cibzs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...539/mcfscan.cab
O20 - Winlogon Notify: tcpG4T - C:\windows\SYSTEM32\tcpG4T.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP