PDA

View Full Version : Blue screen appears and then shut down


hwangche
2007-11-30, 03:37
Hi everyone,

I used to clean my computer with AVG Anti-spyware and Spybot once every two weeks. But recently, everytime when I run these programs, my computer would shut down in the middle of scanning. The situation becomes worse. My computer now shuts down even if I run other programs. It always happen all of sudden and it's very annoying since I always lose the unsaved works. Please help! Thanks.
Shaba
2007-12-01, 11:18
Hi hwangche

Does those work in safe mode?

What is your CPU temperature?
hwangche
2007-12-01, 21:19
Hi hwangche

Does those work in safe mode?

What is your CPU temperature?

It works better in safe mode, but still it crashes somtimes. I don't know the CPU temperature, how can i check it? Actually, I did think about the CPU temperature before and cleaned the dust deposit on the case, but it didn't help.
Shaba
2007-12-03, 10:25
Hi

Use everest (http://www.majorgeeks.com/download4181.html)
and post back, please :)
hwangche
2007-12-04, 07:08
Please check the following link for the report generated by everest.

http://www.msu.edu/~hwangche/Report.htm
Shaba
2007-12-04, 13:22
Hi

Temperatures seem to be ok but you have only 256 megs of RAM.

However, your symptoms indicate to hardware error.

I can re-direct you to some windows forum but let's check this first:

Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
hwangche
2007-12-05, 02:55
I know my computer is low on memory, so i decided to upgrade it. I found this website http://www.1stchoicememory.com/catalog/products.asp?ID=2221
What's the difference between basic ram and better ram there? Coz the price is doubled.

Here is the hijackthis log file

Logfile of HijackThis v1.99.1
Scan saved at 9:50:27, on 5/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
Shaba
2007-12-05, 11:09
Hi

Your version of HijackThis is outdated, download and install newest version from my link and post back a fresh HijackThis log with that version, please :)
hwangche
2007-12-06, 00:57
Here is the log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:54:31, on 6/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5643 bytes
Shaba
2007-12-06, 10:04
Hi

Have you installed this by yourself?

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report
hwangche
2007-12-08, 18:49
Hi

Have you installed this by yourself?

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe


Yes, I installed this program myself.




1. Download combofix from one of these links and save it to Desktop:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://subs.geekstogo.com/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

Here are the log files,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:44:57, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\system32\notepad.exe
C:\ComboFix\nircmd.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [SoundMnEx32] C:\WINDOWS\sscserv.exe
O4 - HKLM\..\Run: [jpgdiag] C:\WINDOWS\system32\jpgconf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [combofix] "C:\WINDOWS\system32\cmd.exe" /c "cd /d C:\ComboFix\ & Combobatch.bat"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MsServer] msfun80.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O20 - AppInit_DLLs:  au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll
O20 - Winlogon Notify: dxtmmnmd - C:\WINDOWS\system32\dxtmmnmd.dll (file missing)
O20 - Winlogon Notify: jpgmgr - jpgmgr32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5864 bytes
hwangche
2007-12-08, 18:50
And the combofix report

ComboFix 07-12-08.1 - CM Hwang 2007-12-09 1:34:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.53 [GMT 8:00]
執行位置?: C:\Documents and Settings\CM Hwang\桌面\ComboFix.exe
* 已建立新的還原點
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin1.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin10.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin11.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin12.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin13.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin14.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin15.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin16.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin17.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin18.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin19.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin2.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin20.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin21.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin22.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin23.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin24.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin25.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin26.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin27.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin28.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin29.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin3.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin30.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin31.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin32.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin33.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin34.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin35.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin36.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin37.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin38.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin39.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin4.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin40.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin41.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin42.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin43.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin44.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin45.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin46.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin47.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin48.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin49.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin5.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin50.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin51.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin52.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin53.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin6.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin7.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin8.zip
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CnsMin9.zip
C:\Program Files\3721\CNSMIN.DAT
C:\Program Files\delfin
C:\WINDOWS\system32\cns.dat
C:\WINDOWS\system32\cns.dll
C:\WINDOWS\system32\cns.exe
C:\WINDOWS\system32\drivers\CnsMinKP.sys
C:\WINDOWS\ufdata2000.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CNSMINKP
-------\CnsMinKP


(((((((((((((((((((((((((((( 2007-11-08 - 2007-12-08 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-12-09 01:38 . 2007-12-09 01:38 68,879 --a------ C:\Documents and Settings\CM Hwang\catchme.zip
2007-12-06 07:54 . 2007-12-06 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:37 . 2007-12-04 13:37 <DIR> d-------- C:\Program Files\Lavalys
2007-12-04 13:05 . 2007-12-04 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-12-04 13:04 . 2006-11-22 11:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2007-12-02 06:48 . 2001-07-24 23:15 241,664 --a------ C:\WINDOWS\system32\r_server.exe
2007-12-02 06:48 . 2000-07-10 20:06 90,112 --a------ C:\WINDOWS\system32\admdll.dll
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d--hs---- C:\FOUND.012
2007-11-30 15:44 . 2007-11-30 15:44 <DIR> d--hs---- C:\FOUND.011
2007-11-30 15:19 . 2007-11-30 15:19 <DIR> d--hs---- C:\FOUND.010
2007-11-30 10:57 . 2007-11-30 10:57 <DIR> d-------- C:\Program Files\Intel
2007-11-30 10:57 . 2001-11-15 00:00 87,018 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
2007-11-30 10:57 . 2001-11-15 00:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
2007-11-30 10:57 . 2001-11-15 00:00 13,654 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
2007-11-30 10:54 . 1998-02-09 03:00 1,455,736 --a------ C:\WINDOWS\system\VCL35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 996,872 --a------ C:\WINDOWS\system\CP3240MT.DLL
2007-11-30 10:54 . 1998-05-18 10:52 458,752 --a------ C:\WINDOWS\system\COMCTL32.DLL
2007-11-30 10:54 . 1998-02-09 03:00 245,912 --a------ C:\WINDOWS\system\VCLX35.BPL
2007-11-30 10:54 . 1998-02-09 03:00 187,392 --a------ C:\WINDOWS\system\BCBSMP35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 29,952 --a------ C:\WINDOWS\system\BORLNDMM.DLL
2007-11-30 10:53 . 2007-11-30 10:53 <DIR> d-------- C:\Program Files\ASUS
2007-11-30 10:53 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2007-11-30 10:53 . 1997-04-22 10:16 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-11-30 10:47 . 2007-11-30 10:56 26 --a------ C:\WINDOWS\CMCDPLAY.INI

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 04:35 --------- d-----w C:\Program Files\QuickTime
2007-10-29 04:34 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-25 16:42 8,320,512 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-14 21:15 --------- d-----w C:\Program Files\Winamp
2007-10-14 21:12 --------- d-----w C:\Program Files\Monkey's Audio
2007-10-14 06:04 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\Registry Cleaner
2007-10-13 02:32 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent
2007-10-13 02:31 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-13 02:31 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent DNA
2007-10-13 02:11 --------- d-----w C:\Program Files\eMule
2007-07-26 02:16 54,504 ----a-w C:\Documents and Settings\CM Hwang\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 22:38 912 ----a-w C:\Program Files\INSTALL.LOG
2007-01-05 00:52 5 --sha-w C:\WINDOWS\system32\faaabe_s.dll
.

(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47]
"NVIEW"="nview.dll" [2003-05-02 15:19 C:\WINDOWS\system32\nview.dll]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-04-05 13:44]
"MsServer"="msfun80.exe" []
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-13 10:31]
"Registry Cleaner"="C:\Program Files\Registry Cleaner\RegClean.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:48 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-05-02 15:19 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-22 23:31]
"IMJPMIG8.2"="msime82.exe" []
"SoundMnEx32"="C:\WINDOWS\sscserv.exe" []
"jpgdiag"="C:\WINDOWS\system32\jpgconf.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 14:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Replace C-Media Mixer"="C:\WINDOWS\W2KSetup.exe" [2001-12-08 04:32]
"C-Media Mixer"="Mixer.exe" [2001-10-23 01:24 C:\WINDOWS\Mixer.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 15:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:02]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtmmnmd]
C:\WINDOWS\system32\dxtmmnmd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jpgmgr]
jpgmgr32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= au3su2ck.dll confjpg.dll jpgstat.dll pns6klale4.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^GStartup.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\GStartup.lnk
backup=C:\WINDOWS\pss\GStartup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CM Hwang^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\CM Hwang\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\CyberLink\PowerVCRII\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent]
C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 ADPTEHCD;%ADPT_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\asusehcd.sys
R2 AUSBD_FilterService;AUSBD Filter Service;C:\WINDOWS\system32\DRIVERS\asususbd.sys
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 AVCam;Samsung MPCC20 Digital Camera; Video;C:\WINDOWS\system32\DRIVERS\CamDrS21.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0467ebfa-d2ad-11db-8122-00045a7a43d1}]
\Shell\Auto\command - F:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{999fc0ee-5175-11db-80f8-00045a7a43d1}]
\Shell\AutoRun\command - F:\Autorun.exe

.
排程工作資料夾的內容
"2007-12-08 17:28:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-01-07 18:36:28 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 01:42:58
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsServer = msfun80.exe???.

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-12-09 1:44:34 - machine was rebooted
.
--- E O F ---
Shaba
2007-12-08, 19:00
Hi

Thanks for info.

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\faaabe_s.dll

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsServer"=-
"Registry Cleaner"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMnEx32"=-
"jpgdiag"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtmmnmd]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jpgmgr]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-


[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^GStartup.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0467ebfa-d2ad-11db-8122-00045a7a43d1}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{999fc0ee-5175-11db-80f8-00045a7a43d1}]



Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
hwangche
2007-12-08, 22:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:32, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\r_server.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5275 bytes
hwangche
2007-12-08, 22:03
ComboFix 07-12-08.1 - CM Hwang 2007-12-09 4:49:42.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.950.1.1028.18.49 [GMT 8:00]
執行位置?: C:\Documents and Settings\CM Hwang\桌面\ComboFix.exe
Command switches used :: C:\Documents and Settings\CM Hwang\桌面\CFScript.txt
* 已建立新的還原點

FILE
C:\WINDOWS\system32\faaabe_s.dll
.

(((((((((((((((((((((((((((((((((((((( 其他遭刪除的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\faaabe_s.dll

.
(((((((((((((((((((((((((((( 2007-11-08 - 2007-12-08 之間建立的檔案 )))))))))))))))))))))))))))))))))
.

2007-12-09 01:38 . 2007-12-09 01:38 68,879 --a------ C:\Documents and Settings\CM Hwang\catchme.zip
2007-12-06 07:54 . 2007-12-06 07:54 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-04 13:37 . 2007-12-04 13:37 <DIR> d-------- C:\Program Files\Lavalys
2007-12-04 13:05 . 2007-12-04 13:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Innovative Solutions
2007-12-04 13:04 . 2006-11-22 11:35 42,496 --a------ C:\WINDOWS\system32\AdvUninstCPL.cpl
2007-12-02 06:48 . 2001-07-24 23:15 241,664 --a------ C:\WINDOWS\system32\r_server.exe
2007-12-02 06:48 . 2000-07-10 20:06 90,112 --a------ C:\WINDOWS\system32\admdll.dll
2007-12-01 12:17 . 2007-12-01 12:17 <DIR> d--hs---- C:\FOUND.012
2007-11-30 15:44 . 2007-11-30 15:44 <DIR> d--hs---- C:\FOUND.011
2007-11-30 15:19 . 2007-11-30 15:19 <DIR> d--hs---- C:\FOUND.010
2007-11-30 10:57 . 2007-11-30 10:57 <DIR> d-------- C:\Program Files\Intel
2007-11-30 10:57 . 2001-11-15 00:00 87,018 --a------ C:\WINDOWS\system32\drivers\IdeChnDr.sys
2007-11-30 10:57 . 2001-11-15 00:00 41,022 --a------ C:\WINDOWS\system32\IPrtCnst.dll
2007-11-30 10:57 . 2001-11-15 00:00 13,654 --a------ C:\WINDOWS\system32\drivers\IdeBusDr.sys
2007-11-30 10:54 . 1998-02-09 03:00 1,455,736 --a------ C:\WINDOWS\system\VCL35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 996,872 --a------ C:\WINDOWS\system\CP3240MT.DLL
2007-11-30 10:54 . 1998-05-18 10:52 458,752 --a------ C:\WINDOWS\system\COMCTL32.DLL
2007-11-30 10:54 . 1998-02-09 03:00 245,912 --a------ C:\WINDOWS\system\VCLX35.BPL
2007-11-30 10:54 . 1998-02-09 03:00 187,392 --a------ C:\WINDOWS\system\BCBSMP35.BPL
2007-11-30 10:54 . 1998-02-08 19:00 29,952 --a------ C:\WINDOWS\system\BORLNDMM.DLL
2007-11-30 10:53 . 2007-11-30 10:53 <DIR> d-------- C:\Program Files\ASUS
2007-11-30 10:53 . 1996-11-05 16:13 299,008 --a------ C:\WINDOWS\uninst.exe
2007-11-30 10:53 . 1997-04-22 10:16 6,272 --a------ C:\WINDOWS\system32\drivers\ASLM75.SYS
2007-11-30 10:47 . 2007-11-30 10:56 26 --a------ C:\WINDOWS\CMCDPLAY.INI

.
(((((((((((((((((((((((((((((((((((( 近三個月內更動的檔案 )))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 04:35 --------- d-----w C:\Program Files\QuickTime
2007-10-29 04:34 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 04:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-10-25 16:42 8,320,512 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-14 21:15 --------- d-----w C:\Program Files\Winamp
2007-10-14 21:12 --------- d-----w C:\Program Files\Monkey's Audio
2007-10-14 06:04 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\Registry Cleaner
2007-10-13 02:32 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent
2007-10-13 02:31 --------- d-----w C:\Program Files\BitTorrent_DNA
2007-10-13 02:31 --------- d-----w C:\Documents and Settings\CM Hwang\Application Data\BitTorrent DNA
2007-10-13 02:11 --------- d-----w C:\Program Files\eMule
2007-07-26 02:16 54,504 ----a-w C:\Documents and Settings\CM Hwang\Application Data\GDIPFONTCACHEV1.DAT
2005-05-12 22:38 912 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-12-09_ 1.43.50.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-13 02:57:12 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
.
(((((((((((((((((((((((((((((((((((((((((( 重要登錄檔 )))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*注意* 空白或合法的登錄值將不會顯示

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:47]
"NVIEW"="nview.dll" [2003-05-02 15:19 C:\WINDOWS\system32\nview.dll]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-04-05 13:44]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-13 10:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:32]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 15:48]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 15:48 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2003-05-02 15:19 C:\WINDOWS\system32\nwiz.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-04-22 23:31]
"IMJPMIG8.2"="msime82.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-24 14:02]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"Replace C-Media Mixer"="C:\WINDOWS\W2KSetup.exe" [2001-12-08 04:32]
"C-Media Mixer"="Mixer.exe" [2001-10-23 01:24 C:\WINDOWS\Mixer.exe]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 15:47]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15:47]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-24 14:02]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^「開始」功能表^程式集^啟動^SpySubtract.lnk]
path=C:\Documents and Settings\All Users\「開始」功能表\程式集\啟動\SpySubtract.lnk
backup=C:\WINDOWS\pss\SpySubtract.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^CM Hwang^「開始」功能表^程式集^啟動^MyWebSearch Email Plugin.lnk]
path=C:\Documents and Settings\CM Hwang\「開始」功能表\程式集\啟動\MyWebSearch Email Plugin.lnk
backup=C:\WINDOWS\pss\MyWebSearch Email Plugin.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\CyberLink\PowerVCRII\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Remote_Agent]
C:\Program Files\CyberLink\PowerVCRII\RemoteAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

R2 ADPTEHCD;%ADPT_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\DRIVERS\asusehcd.sys
R2 AUSBD_FilterService;AUSBD Filter Service;C:\WINDOWS\system32\DRIVERS\asususbd.sys
R2 r_server;Remote Administrator Service;"C:\WINDOWS\system32\r_server.exe" /service
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 AVCam;Samsung MPCC20 Digital Camera; Video;C:\WINDOWS\system32\DRIVERS\CamDrS21.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys

.
排程工作資料夾的內容
"2007-12-08 20:43:14 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2007-01-07 18:36:28 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1331 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-09 04:55:52
Windows 5.1.2600 Service Pack 2 FAT NTAPI

掃描隱藏的程序...

掃描隱藏的進程...

掃描隱藏的檔案...

掃描完成
隱藏檔案?: 0

**************************************************************************
.
完成時間?: 2007-12-09 4:57:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-12-09 01:44
.
--- E O F ---
Shaba
2007-12-09, 11:10
Hi

Looking better :)

Next step is online scan:

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
hwangche
2007-12-12, 06:18
sorry that i have no internet connection at home right now. I will following your steps and post the report as soon as i get back the connection at home. Thanks for helping
Shaba
2007-12-12, 10:31
Hi

Ok, I'll be waiting :)
hwangche
2007-12-14, 21:06
Hi

Ok, I'll be waiting :)

I'm back! However, I couldn't scan my computer using the link you posted since everytime I do the scan, my computer would automatic restart before it finishes scanning. Is there a way to fix it?
Shaba
2007-12-15, 10:49
Hi

What is the temperature of CPU?
hwangche
2007-12-15, 23:06
Hi, I put my computer in a cooler place and the scanning could be done. Here is the report:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 16, 2007 6:03:29 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/12/2007
Kaspersky Anti-Virus database records: 483327
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91711
Number of viruses found: 6
Number of infected objects: 84
Number of suspicious objects: 95
Duration of the scan process: 01:12:10

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptddrv1.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01062007-184523.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\016C0000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B00000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B40000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07AC0000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B40001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B40002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00004.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00005.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00006.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00007.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00008.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A00009.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A0000A.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A0000B.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40004.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40005.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40006.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40007.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40008.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07BC0004.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80000.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C00003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07AC0001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80002.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80004.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80005.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80006.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C40009.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000A.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B80007.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07B40003.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000B.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07A80001.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000C.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07C4000D.VBN Infected: Net-Worm.Win32.Mytob.n skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\CM Hwang\ntuser.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\History\History.IE5\MSHist012007121620071217\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 10:41:31 -0500 (CDT)]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, ... /[From "kim mi" <kim_mi02@hotmail.com>][Date Fri, 11 Oct 2002 01:56:15 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 10:41:31 -0500 (CDT)]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, ... /[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 10:41:31 -0500 (CDT)]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, ... /[From onlinebillpay@broadband.att.com][Date Wed, 2 Oct 2002 17:31:52 -0600]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 10:41:31 -0500 (CDT)]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 12:42:40 -0500 (CDT)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text/[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Mon, 30 Sep 2002 10:41:31 -0500 (CDT)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
hwangche
2007-12-15, 23:07
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text/[From Jeanne Wald <wald@math.msu.edu>][Date Mon, 30 Sep 2002 09:07:22 -0400]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED/[From Jeanne Wald <wald@math.msu.edu>][Date Wed, 25 Sep 2002 08:55:27 -0400]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From Christopher Danielson <csd@math.msu.edu>][Date Thu, 19 Sep 2002 14:46:31 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/att00039.bat Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/[From <layanz6405n15@hotmail.com>][Date Fri, 25 Oct 2002 00:24:34 +1000]/text/[From hill <hill@math.msu.edu>][Date Fri, 25 Oct 2002 09:47:24 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/[From <layanz6405n15@hotmail.com>][Date Fri, 25 Oct 2002 00:24:34 +1000]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc ... /[Fr ... /[From Jack Foland <foland@nemo.mth.msu.edu>][Date Fri, 15 Nov 2002 16:43:51 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <m ... /[From "Kimberly Ann Yake" <yakekimb@pilot.msu.edu>][Date Mon, 9 Dec 2002 13:52:03 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc .. ... ... / ... /[From "Kening Lu" <klu@math.msu.edu>][Date Mon, 2 Dec 2002 13:26:03 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates ... /[From American Mathematical Society <amsmem@ams.org>][Date Wed, 11 Dec 2002 05:07:56 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbrec@ias.edu> (by way ... /[From postmaster@microsoft.com][Date Tue, 24 Dec 2002 08:41:01 -0800]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[From Jack Foland <foland@math.msu.edu>][Date Fri, 03 Jan 2003 17:01:56 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[From endersjo <endersjo@pilot.msu.edu>][Date Sun, 5 Jan 2003 18:59:20 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[ ... /[From maple <maple@chosun.com>][Date Tue, 7 Jan 2003 06:37:13 -050 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[F ... /[From mavrukca <mavrukca@pilot.msu.edu>][Date Wed, 8 Jan 2003 05:12:21 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon,
04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[F ... /[From sunyuzhi <sunyuzhi@pilot.msu.edu>][Date Wed, 8 Jan 2003 06:49:30 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsy ... /[From inet <inet@microsoft.com>][Date Sun, 12 Jan 2003 12:07:24 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsystem <MAILER-DAEMON@p ... /[From pm846-09.dialip.mich.net [35.12.24.211]]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsystem <MAILER-DAEMON@pilot.msu.edu>][Date Sun, 12 Jan 2003 12:07:46 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[From Fujitsu LifeBook Club ... /[From <big@boss.com>][Date Sun, 12 Jan 2003 0:45:40 --0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[From Fujitsu LifeBook Club <lifebookclub@carlson.com>][Date Thu, 09 Jan 2003 05:35:53 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[Fr ... /[From onlinebillpay@broadband.att.com][Date Wed, 08 Jan 2003 07:47:20 -0700]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
hwangche
2007-12-15, 23:09
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[From Zeynep Altinsel <altinsel@pilot.msu.edu>][Date Tue, 07 Jan 2003 15:57:36 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[From Alexander Volberg <volberg@math.msu.edu>][Date Sun, 19 Jan 2003 00:35:35 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr . ... /[From xushujuan1977 <xushujuan1977@yahoo.com.cn>][Date Thu, 23 Jan 2003 14:38:02 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From Ralph Svetic <rsvetic@math.msu.edu>][Date Thu, 23 Jan 2003 10:38:37 -0500 (EST)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[Fro ... / ... /[From Mark_Hurwitz <Mark_Hurwitz@pall.com>][Date Fri, 24 Jan 2003 16:28:12 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[Fro ... /[From pm606-15.dialip.mich.net [35.12.14.167]][Date Fri, 24 Jan 2003 15:02:35 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsyste ... /[From yli <yli@math.uci.edu>][Date Fri, 24 Jan 2003 16:37:19 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsystem <MAILER-DAEMON@p ... /[From pm606-15.dialip.mich.net [35.12.14.167]]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Deliv ... /[From admissions <admissions@purdue.edu>][Date Sun, 26 Jan 2003 01:56:24 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delive ... /[From Jack Foland <foland@math.msu.edu>][Date Fri, 24 Jan 2003 16:47:06 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbr ... /[From Mail Delivery Subsystem <MAILER-DAEMON@pilot.msu.edu>][Date Fri, 24 Jan 2003 16:37:41 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[From ... /[From "Irina Kadyrova" <kadyrova@math.msu.edu>][Date Fri, 24 Jan 2003 14:02:14 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht ... /[From "Aaron Thomas Mosier" <mosieraa@pilot.msu.edu>][Date Thu, 23 Jan 2003 14:58:49 -0500 (EST)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[From "Willia ... /[From <OISS@pilot.msu.edu>][Date Tue, 21 Jan 2003 14:25:58 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 21 Jan 2003 12:08:12 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... ... /[From "Sue Watson" <suzy@math.msu.edu>][Date Tue, 21 Jan 2003 11:10:18 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[Fro ... /[From "Kening Lu" <klu@math.msu.edu>][Date Tue, 21 Jan 2003 08:51:17 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... ... /[From "Irina Kadyrova" <kadyrova@math.msu.edu>][Date Wed, 15 Jan 2003 10:08:49 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[From "James Chang" <james@math.msu.edu>][Date Tue, 7 Jan 2003 08:07:10 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[ ... /[From maple <maple@chosun.com>][Date Tue, 7 Jan 2003 06:37:13 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From ... /[From Jack Foland <foland@math.msu.edu>][Date Mon, 06 Jan 2003 09:27:10 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From Onu ... /[From "Kening Lu" <klu@math.msu.edu>][Date Sat, 4 Jan 2003 09:42:30 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbr ... /[From Onur Agirseven <agirseve@math.msu.edu>][Date Tue, 24 Dec 2002 18:26:20 -0500 (EST)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 ... /[From Catherine Giesbrecht <giesbrec@ias.edu> (by way of Peter Bates <bates@math.msu.edu>)][Date Fri, 13 Dec 2002 15:16:28 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc .. ... ... /[ ... /[From Jeanne Wald <wald@math.msu.edu>][Date Tue, 10 Dec 2002 18:38:27 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mth ... /[From "Eduardo Olivo" <Olivoedu@univ-hsg.hfs.msu.edu>][Date Thu, 30 Jan 2003 14:57:01 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
hwangche
2007-12-15, 23:10
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc . ... /[From cathedral <cathedral@thecathedral.goarch.org>][Date Sat, 1 Feb 2003 20:41:19 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc .. ... /[From Po Kin Leung <poleung@astro.uiuc.edu>][Date Fri, 31 Jan 2003 10:14:04 -0600 (CST)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc .. ... ... /[From "William C. Brown" <brown@math.msu.edu>][Date Mon, 2 Dec 2002 09:53:32 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc .. ... /[From "Barbara Miller" <bmiller@nemo.mth.msu.edu>][Date Mon, 25 Nov 2002 11:13:53 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc ... /[From ... /[From Peter Bates ... /[From <hkf@msu.edu>][Date Mon, 18 Nov 2002 00:31:08 EST]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc ... /[From ... /[From Peter Bates <mthchair@math.msu.edu>][Date Thu, 14 Nov 2002 15:58:49 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc ... /[From "Graduate Employees Union (GEU)" <geu@msu.edu>][Date Mon, 11 Nov 2002 18:32:10 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@mat ... /[From Peter Bates <mthchair@math.msu.edu>][Date Mon, 11 Nov 2002 17:32:14 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@m . ... /[From Irina Kadyrova <kadyrova@math.msu.edu>][Date Tue, 18 Feb 2003 16:37:59 -0800]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@m ... /[From "William C. Brown" <brown@math.msu.edu>][Date Wed, 19 Feb 2003 10:00:16 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/ ... /[From from 8bit to quo ... ... /[From xinwenmaster <xinwenmaster@yifan.net>][Date Fri, 11 Apr 2003 13:27:53 -0400]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/ ... /[From from 8bit to quo ... /[From pm528-09.dialip.mich.net [35.9.48.111]][Date Fri, 11 Apr 2003 13:28:19 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/ ... /[From from 8bit to quoted ... /[From "Barbara Miller" <bmiller@math.msu.edu>][Date Wed, 9 Apr 2003 11:25:09 -0400]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/ ... /[From from 8bit to quoted-printable by sunprd1.ais.msu.edu id h38MOj8P002800][Date Tue, 8 Apr 2003 18:24:46 -0400]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From ... /[Fr ... /[From "Ruben A. Martinez-Avendano" <ruben@math.msu.edu>][Date Mon, 7 Apr 2003 12:16:01 -0400 (EDT)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From ... /[From ... /[From "Anna Marie Gustitus" <gustitus@pilot.msu.edu>][Date Sun, 6 Apr 2003 00:32:11 -0500 (EST)]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From ... /[From "blockbuster@ ... ... /[From Jack Foland <foland@math.msu.edu>][Date Fri, 04 Apr 2003 14:59:50 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From ... /[From "blockbuster@ ... /[From Shlomo Levental <levental@stt.msu.edu>][Date Tue, 01 Apr 2003 09:23:35 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From ... /[From "blockbuster@thestore24.com" <blockbuster@thestore24.com>][Date Mon, 31 Mar 2003 16:15:20 -0500 (EST)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthc ... /[From "Jenna Thompson" <lowrateservice@maninf.co.uk>][Date Sat, 22 Feb 2003 20:31:38 -2000]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthch ... /[From "Charles R. MacCluer" <maccluer@math.msu.edu>][Date Sat, 22 Feb 2003 15:34:40 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair ... /[From "Barbara Miller" <bmiller@math.msu.edu>][Date Wed, 19 Feb 2003 13:04:30 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@m . ... /[From Irina Kadyrova <kadyrova@math.msu.edu>][Date Wed, 19 Feb 2003 06:40:39 -0800]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@m ... /[From "J.M. Plotkin" <plotkin@math.msu.edu>][Date Fri, 14 Feb 2003 15:32:12 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@mat ... ... /[From Jack Foland <foland@math.msu.edu>][Date Tue, 11 Feb 2003 15:37:07 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
hwangche
2007-12-15, 23:11
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@mat ... ... /[From Jack Foland <foland@math.msu.edu>][Date Fri, 07 Feb 2003 15:34:07 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@mat ... /[From "Zhengfang Zhou" <zfzhou@math.msu.edu>][Date Mon, 11 Nov 2002 11:58:21 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED/[From Peter Bates <mthchair@math.msu.edu>][Date Mon, 11 Nov 2002 09:57:57 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text/[From Kathie Ellis <ellisk@pilot.msu.edu> (by way of Linda Johnson <ljohnson@msu.edu>) (by way of Sterling Tryon-Hartwig <sterling@math.msu.edu>)][Date Mon, 04 Nov 2002 08:55:43 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text/[From Zeynep Altinsel <altinsel@msu.edu>][Date Fri, 01 Nov 2002 11:15:31 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox/[From "William C. Brown" <brown@math.msu.edu>][Date Tue, 29 Oct 2002 15:28:16 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Inbox Mail Berkeley mbox: infected - 3, suspicious - 85 skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From khodr <khodr@math.msu.edu>][Date Sat, 12 Oct 2002 14:31:03 -0400 (EDT)]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED/att00039.bat Infected: Email-Worm.Win32.Klez.h skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date he ... /[From hill <hill@math.msu.edu>][Date Fri, 25 Oct 2002 09:47:24 -040 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date he ... /[From hill <hill@math.msu.edu>][Date Fri, 25 Oct 2002 09:47:24 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED/[From vaninsky <vaninsky@comcast.net>][Date Date header was inserted by mtaout01.icomcast.net]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From homedormoffice <homedormoffice@yahoo.ca>][Date Thu, 24 Oct 2002 22:50:00 -0400]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From Peter Bates <mthchair@math.msu.edu>][Date Thu, 14 Nov 2002 15:58:49 -0500]/text/[From queenbshay03 <queenbshay03@aol.com>][Date Mon, 9 Dec 2002 20:34:54 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From Peter Bates <mthchair@math.msu.edu>][Date Thu, 14 Nov 2002 15:58:49 -0500]/text/[From mavrukca <mavrukca@pilot.msu.edu>][Date Fri, 13 Dec 2002 03:32:46 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From Peter Bates <mthchair@math.msu.edu>][Date Thu, 14 Nov 2002 15:58:49 -0500]/text/[From mavrukca <mavrukca@pilot.msu.edu>][Date Fri, 13 Dec 2002 03:32:46 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text/[From Peter Bates <mthchair@math.msu.edu>][Date Thu, 14 Nov 2002 15:58:49 -0500]/text Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text/[From Fedor Nazarov <fedja@math.msu.edu>][Date Mon, 21 Oct 2002 18:20:08 -0400 (EDT)]/text Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED/[From Alexander Volberg <volberg@math.msu.edu>][Date Mon, 14 Oct 2002 23:28:59 -0400]/text Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash/[From webmaster <webmaster@fec.gov>][Date Tue, 15 Oct 2002 19:56:28 -0400]/UNNAMED Infected: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Profiles\HwangCheukMan\faepa5ba.slt\Mail\pilot.msu.edu\Trash Mail Berkeley mbox: infected - 6, suspicious - 10 skipped
C:\Documents and Settings\CM Hwang\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip ZIP: infected - 5 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE Gentee: infected - 4 skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\System Volume Information\_restore{574E323E-C519-4377-8F4C-5D7899A20C32}\RP444\A0076583.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{574E323E-C519-4377-8F4C-5D7899A20C32}\RP456\change.log Object is locked skipped
E:\My Download Files\ServUSetup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.4108 skipped
E:\My Download Files\ServUSetup.exe ZIP: infected - 1 skipped

Scan process completed.
hwangche
2007-12-15, 23:14
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:41, on 16/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 4956 bytes
Shaba
2007-12-16, 11:07
Hi

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine

Empty Recycle Bin.

Delete all bad emails shown in Kaspersky report (pilot.msu.edu account) and empty Trash folder.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report
hwangche
2007-12-17, 04:02
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 17, 2007 10:59:24 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/12/2007
Kaspersky Anti-Virus database records: 484233
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91752
Number of viruses found: 3
Number of infected objects: 20
Number of suspicious objects: 0
Duration of the scan process: 01:37:02

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptddrv1.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\admdll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{315D09C4-E523-4D4A-AC28-D1219F956883}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-01062007-184523.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\CM Hwang\ntuser.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\History\History.IE5\MSHist012007121720071218\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\CM Hwang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\CM Hwang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\history.dat Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\parent.lock Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\search.sqlite Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\cert8.db Object is locked skipped
C:\Documents and Settings\CM Hwang\Application Data\Mozilla\Firefox\Profiles\t7qgshk0.default\key3.db Object is locked skipped
C:\Documents and Settings\CM Hwang\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip/RADMIN21.EXE Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21.zip ZIP: infected - 5 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\ICQ\Received Files\Ma Chai\radmin21\RADMIN21.EXE Gentee: infected - 4 skipped
C:\Program Files\Radmin\AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\System Volume Information\_restore{574E323E-C519-4377-8F4C-5D7899A20C32}\RP444\A0076583.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\System Volume Information\_restore{574E323E-C519-4377-8F4C-5D7899A20C32}\RP456\change.log Object is locked skipped
E:\System Volume Information\_restore{574E323E-C519-4377-8F4C-5D7899A20C32}\RP456\change.log Object is locked skipped
E:\My Download Files\ServUSetup.exe/SERVUDAEMON.EXE Infected: not-a-virus:Server-FTP.Win32.Serv-U.4108 skipped
E:\My Download Files\ServUSetup.exe ZIP: infected - 1 skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:48, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Customer\Wireless PCI_CardBus utility V1.01\Wireless PCI_CardBus utility V1.01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.2] msime82.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Replace C-Media Mixer] C:\WINDOWS\W2KSetup.exe -ReplaceMixer
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-19\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: 雅虎搜索 - res://C:\Program Files\Yahoo!\Assistant\Assist\yasbar.dll/203
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java 主控台 - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {E847C78C-C210-4195-8799-FBF3BF89797D} (金山毒霸在??品升?) - http://www.duba.net/cab/KOSInit.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

--
End of file - 5219 bytes
Shaba
2007-12-17, 10:35
Hi

That looks good :)

Still problems?
hwangche
2007-12-18, 15:17
Everytime I start my computer, there is an error message saying that "Setup MFC Application" crushes. Do you have any idea about that? Thanks.
hwangche
2007-12-18, 15:21
Here is the infromations from the error message:

AppName: w2ksetup.exe AppVer: 2.0.0.0 ModName: w2ksetup.exe
ModVer: 2.0.0.0 Offset: 0000a521
Shaba
2007-12-18, 15:50
Hi

Do you have Acard cmi8738 pci sound card installed?
hwangche
2007-12-19, 19:10
Actually, the audio adapter come with the motherboard. I checked the model of it by Everest, it says it's CMI8378 audio chip.



Hi

Do you have Acard cmi8738 pci sound card installed?
hwangche
2007-12-19, 19:11
it should be CMI8738


Actually, the audio adapter come with the motherboard. I checked the model of it by Everest, it says it's CMI8378 audio chip.
Shaba
2007-12-19, 19:15
Hi

Then it's likely a driver issue.

Do you have latest drivers for that?
hwangche
2007-12-20, 04:19
I've downloaded the most updated driver from the web and installed, but the error message still shows.




Hi

Then it's likely a driver issue.

Do you have latest drivers for that?
Shaba
2007-12-20, 10:27
Hi

Then I don't think that I can help with that issue.

However, I can re-direct you to some windows forum if you like.

Is that ok?
hwangche
2007-12-21, 03:12
Sure! Thanks a lot for helping me so long.



Hi

Then I don't think that I can help with that issue.

However, I can re-direct you to some windows forum if you like.

Is that ok?
Shaba
2007-12-21, 11:12
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

I recommend this (http://forums.pcpitstop.com/index.php?) forum.

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/)
2) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
3) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
4) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Next we remove all used tools.

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to desktop.

Double-click OTMoveIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware 2007 to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :santa:
Shaba
2007-12-23, 11:08
Since this issue appears resolved ... this Topic is closed. Glad I could help.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.