PDA

View Full Version : This System is Possessed


coste
2008-04-12, 23:15
I purchased this computer from someone I know on the cheap, because he said it has a virus.
THIS SYSTEM IS POSSESSED!
1.About every 5 minutes this message pops up,
Windows Security Alert!
Warning! Potential Spyware Operation!
You computer is making unauthorised copies of your System and
Internet files. Run full scan now to prevent any unauthorised access
to your files! Click YES to download Spyware Remover...
Misspelling included.
I've been clicking NO.
2.I cannot Access the Control Panel. If you click on Start the Control Panel is not listed.
If I Click Start>Run>Control.exe I get the message
Restrictions
The operation has been cancelled due to restrictions in effect on this computer. Please
contact your system administrator.
3.Cannot access properties from My Computer. Click Start>My Computer, right mouse click>
Properties. Same message as item 2.
4.My Home Page keeps getting changed to Google.
5. I have to run Spybot, no luck. I can download it and start the installation. The
installation runs to the point where the check boxes Run S&D, Run Teatimer are displayed.
Click on OK and nothing happens
6.Kaspersky Online Scanner,when I click on the link in "Before You Post" using the infected system
it goes no where. No Error, It just stays on the "Before You Post, post. It works fine on
my good system. I tried googling "Kaspersky Online Scanner" Following the Link, but after
repeated tries all I get is "The page cannot be displayed. Works fine on my good sytem.
7. HiJack This, I get the same result from the HiJack this Link. I went to a site and
downloaded HiJack This 2.02 to the desktop. when I double-click on the desktop icon the
System asks if I want to run it. When I click RUN nothing happens. No error, the
program does not execute.
8. The system has an outdated version of PC-cillin (Last update 6/4/2006). It won't update.
The former owner says he ran SmitFruadFix in Safe Mode. It produced a report. I will post
it, might help, it's about all I have.
9. The system says it is booting Windows XP Media Edition. The Dell Support Center says it
is running Windows XP Professional Service Pack 2.
I will Be grateful for any help.
SmitFraudFix Rapport:
SmitFraudFix v2.296
Scan done at 12:33:43.67, Mon 02/25/2008
Run from C:\Documents and Settings\Henry Latour\Desktop\SmitFraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net
10.18.250.4 banners.fastclick.net
10.18.250.4 ca.com
10.18.250.4 click.atdmt.com
10.18.250.4 clicks.atdmt.com
10.18.250.4 customer.symantec.com
10.18.250.4 dispatch.mcafee.com
10.18.250.4 download.mcafee.com
10.18.250.4 downloads-us1.kaspersky-labs.com
10.18.250.4 downloads-us2.kaspersky-labs.com
10.18.250.4 downloads-us3.kaspersky-labs.com
10.18.250.4 downloads1.kaspersky-labs.com
10.18.250.4 downloads2.kaspersky-labs.com
10.18.250.4 downloads3.kaspersky-labs.com
10.18.250.4 downloads4.kaspersky-labs.com
10.18.250.4 engine.awaps.net
10.18.250.4 f-secure.com
10.18.250.4 fastclick.net
10.18.250.4 ftp.avp.ch
10.18.250.4 ftp.downloads1.kaspersky-labs.com
10.18.250.4 ftp.downloads2.kaspersky-labs.com
10.18.250.4 ftp.downloads3.kaspersky-labs.com
10.18.250.4 ftp.f-secure.com
10.18.250.4 ftp.kasperskylab.ru
10.18.250.4 ftp.sophos.com
10.18.250.4 ids.kaspersky-labs.com
10.18.250.4 kaspersky-labs.com
10.18.250.4 kaspersky.com
10.18.250.4 liveupdate.symantec.com
10.18.250.4 liveupdate.symantecliveupdate.com
10.18.250.4 mast.mcafee.com
10.18.250.4 mcafee.com
10.18.250.4 media.fastclick.net
10.18.250.4 my-etrust.com
10.18.250.4 nai.com
10.18.250.4 networkassociates.com
10.18.250.4 norton.com
10.18.250.4 phx.corporate-ir.net
10.18.250.4 rads.mcafee.com
10.18.250.4 secure.nai.com
10.18.250.4 securityresponse.symantec.com
10.18.250.4 service1.symantec.com
10.18.250.4 sophos.com
10.18.250.4 spd.atdmt.com
10.18.250.4 symantec.com
10.18.250.4 trendmicro.com
10.18.250.4 update.symantec.com
10.18.250.4 updates.symantec.com
10.18.250.4 updates1.kaspersky-labs.com
10.18.250.4 updates2.kaspersky-labs.com
10.18.250.4 updates3.kaspersky-labs.com
10.18.250.4 updates4.kaspersky-labs.com
10.18.250.4 updates5.kaspersky-labs.com
10.18.250.4 us.mcafee.com
10.18.250.4 vil.nai.com
10.18.250.4 viruslist.com
10.18.250.4 viruslist.ru
10.18.250.4 virusscan.jotti.org
10.18.250.4 virustotal.com
10.18.250.4 www.avp.ch
10.18.250.4 www.avp.com
10.18.250.4 www.avp.ru
10.18.250.4 www.awaps.net
10.18.250.4 www.ca.com
10.18.250.4 www.f-secure.com
10.18.250.4 www.fastclick.net
10.18.250.4 www.grisoft.com
10.18.250.4 www.kaspersky-labs.com
10.18.250.4 www.kaspersky.com
10.18.250.4 www.kaspersky.ru
10.18.250.4 www.mcafee.com
10.18.250.4 www.my-etrust.com
10.18.250.4 www.nai.com
10.18.250.4 www.networkassociates.com
10.18.250.4 www.sophos.com
10.18.250.4 www.symantec.com
10.18.250.4 www.trendmicro.com
10.18.250.4 www.viruslist.com
10.18.250.4 www.viruslist.ru
10.18.250.4 www.virustotal.com

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ctfmona.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5449A36A-5B35-4799-9FB6-8AAAA2DF503E}: DhcpNameServer=10.129.1.65
HKLM\SYSTEM\CS1\Services\Tcpip\..\{5449A36A-5B35-4799-9FB6-8AAAA2DF503E}: DhcpNameServer=10.129.1.65
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5449A36A-5B35-4799-9FB6-8AAAA2DF503E}: DhcpNameServer=10.129.1.65
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=10.129.1.65
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=10.129.1.65
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=10.129.1.65


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End
Shaba
2008-04-14, 10:56
Hi coste

Rename HijackThis.exe to coste.exe and let me know if it works now :)
coste
2008-04-14, 14:47
Hi Shaba
Thank you for the help!
Renaming HiJack.exe to Coste.exe worked. I am posting the Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:36:05 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\DOCUME~1\HENRYL~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\bolenjx.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\WINDOWS\system32\nod32se.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Documents and Settings\Henry Latour\Application Data\U3\0000187DA573904E\LaunchPad.exe
C:\Documents and Settings\Henry Latour\Desktop\Coste.exe.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144071332203
O20 - AppInit_DLLs: kus109.dat
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8268 bytes
Shaba
2008-04-14, 14:52
Hi

First create own folder for HijackThis to desktop and move it into that folder.

After that:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
coste
2008-04-14, 15:41
Hi Shaba

First create own folder for HijackThis to desktop and move it into that folder.

After that:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
First, when I click on the link for SDFix on my infected system it does'nt go to the site, it stays on the forum page.
So, I follwed the link on my good system, downloaded SDFix to my memory stick, copied it to the desktop
of the infected system and tried to run it. When I double-click it does not run, no error message, it just doesn't run.
Shaba
2008-04-14, 15:59
Hi

Then we use this:

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

If it doesn't run either, try to run in safe mode.
coste
2008-04-14, 16:21
Hi Shaba

**Note: It is important that it is saved directly to your desktop**
I still have to use the memory stick.
I tried running Combofix in both normal and safe mode same result
the file would not run. No error message, it just won't run. I still
have to use my good system to follow the links.
Thanks for hanging in there!
Shaba
2008-04-14, 16:24
Hi

Did you copy it to Desktop before that?
coste
2008-04-14, 16:37
Sorry Shaba,
Yes, I copied it from the memory stick to the desktop, before I tried running it.
Thanks
Shaba
2008-04-14, 16:38
Hi

This should work:

Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
coste
2008-04-14, 16:46
Hi Shaba,
A question,
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post.
Close Windows Before double-click?
Thanks
Shaba
2008-04-14, 16:49
Hi

Yes :)
coste
2008-04-14, 16:56
Hi Shaba,
I Had to use the memory stick, copied DSS to the desktop, Double-Clicked
on the DSS icon, It did not run, no error.
I have not tried it in safe mode, should I?
Thanks
Shaba
2008-04-14, 16:58
Hi

Does any executable run properly on that system?
coste
2008-04-14, 17:09
Hi Shaba,
Yes the Applications on the system Word, Excel, and others all seem to run.
Notepad, wordpad run. Anything installed before the infection except things like Control Pane, MSConfig, CTRL+ALT+DEL (Task Manager) generate error messages Access Disabled by Administrator.
HiJack This ran only aftre the name was changed to Coste.exe
Thanks
Shaba
2008-04-14, 17:11
Hi

Let's try this then:

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
coste
2008-04-14, 17:33
Hi Shaba,
It looks like that worked.
Two things. The Anti-virus that is on here gave warning while Combofix was running, I just allowed it to continue. Combofix rebooted the system before it finished.
I am posting the Combofix log and a new HiJack this log.
ComboFix 08-04-13.3 - Henry Latour 2008-04-14 11:16:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT -4:00]
Running from: C:\Documents and Settings\Henry Latour\Desktop\Combo-Fix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys
C:\Documents and Settings\Henry Latour\Application Data\antivirus.exe
C:\Documents and Settings\Henry Latour\Application Data\printer.exe
C:\Documents and Settings\Henry Latour\Application Data\ultra
C:\Documents and Settings\Henry Latour\Application Data\ultra\uninstall.bat
C:\WINDOWS\bolenja.exe
C:\WINDOWS\bolenjx.exe
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\kus109.dat
C:\WINDOWS\system32\bolenja.exe
C:\WINDOWS\system32\bolenjx.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\kus109.dat
C:\WINDOWS\system32\multikz.exe
C:\WINDOWS\system32\nod32se.exe
C:\WINDOWS\system32\suspend.bin
C:\WINDOWS\system32\suspend.exe
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\wowfx.dll
C:\WINDOWS\Web\default.htt
C:\WINDOWS\Web\deskmovr.htt
C:\WINDOWS\Web\safemode.htt
C:\WINDOWS\wsystmp_etk.exe
C:\WINDOWS\wsystmp_oag.exe
C:\WINDOWS\wsystmp_ovx.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 08:32 . 2008-04-14 09:18 <DIR> d-------- C:\HiJack This
2008-04-12 17:02 . 2008-04-14 10:02 <DIR> d-------- C:\Documents and Settings\Henry Latour\Application Data\U3
2008-04-11 15:51 . 2008-04-11 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-04-11 15:50 . 2008-04-11 15:50 <DIR> d-------- C:\Program Files\Dell Support Center
2008-04-11 15:50 . 2008-04-11 15:50 <DIR> d-------- C:\Program Files\Common Files\supportsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 19:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-11 21:03 --------- d-----w C:\Program Files\Trend Micro
2008-04-11 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-26 21:47 --------- d-----w C:\Documents and Settings\Henry Latour\Application Data\AdobeUM
2008-03-06 23:29 --------- d-----w C:\Program Files\a-squared Free
2008-03-06 22:30 --------- d-----w C:\Program Files\DIGStream
2008-02-20 14:59 --------- d-----w C:\Documents and Settings\mcgrunt\Application Data\Seagull Software
2008-01-19 12:30 90,112 ----a-w C:\WINDOWS\updreg.exe
.
Files Infected - Win32.Agent.zb
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AT&T Global Network Client\NetSP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-19 08:30 102400]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 21:38 20553]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Global Network Client\NetSP.exe" [2008-01-19 08:30 10752]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 08:30 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-19 08:30 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-04-11 16:45 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-01-19 08:30 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-19 08:30 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-19 08:30 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 10:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2008-01-19 08:30 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-19 08:30 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-19 08:30 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-19 08:30 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-01-19 08:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-19 08:30 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2008-01-19 08:30 823362]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-05 23:24 168448]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-19 08:30 49152]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-01-19 08:30 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"bolenja"="bolenja.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2006-01-16 10:56]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 11:20:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\DOCUME~1\HENRYL~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
.
**************************************************************************
.
Completion time: 2008-04-14 11:22:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 15:22:41

Pre-Run: 142,633,816,064 bytes free
Post-Run: 142,558,679,040 bytes free
.
2008-01-22 17:48:59 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24:34 AM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\DOCUME~1\HENRYL~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MUSICM~1\Common\COMPON~1\MMCOMP~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HiJack This\Coste.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [bolenja] bolenja.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144071332203
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8114 bytes
Shaba
2008-04-14, 18:33
Hi

Great to see that it finally worked :bigthumb:

You have/had a really nasty piece of malware there.

First we need to replace beep.sys.

Download it here (http://andymanchesta.com/Files/XP/beep.sys) and copy to C:\WINDOWS\system32\dllcache\ and
C:\WINDOWS\system32\drivers

After that:

Open notepad and copy/paste the text in the codebox below into it:


Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bolenja"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
coste
2008-04-14, 19:20
Hi Shaba,
You have/had a really nasty piece of malware there.
I'm not exactly a novice and I didn't have a clue.
Things are looking better. I can now click-on and follow the links, no more memory stick. I can access the Control Panel.
It's sure is nice to have you guys around!
Thanks again.
Here are the new logs.
ComboFix 08-04-13.3 - Henry Latour 2008-04-14 13:04:54.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.537 [GMT -4:00]
Running from: C:\Documents and Settings\Henry Latour\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\Henry Latour\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-14 08:32 . 2008-04-14 11:24 <DIR> d-------- C:\HiJack This
2008-04-12 17:02 . 2008-04-14 10:02 <DIR> d-------- C:\Documents and Settings\Henry Latour\Application Data\U3
2008-04-11 15:51 . 2008-04-11 15:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SupportSoft
2008-04-11 15:50 . 2008-04-11 15:50 <DIR> d-------- C:\Program Files\Dell Support Center
2008-04-11 15:50 . 2008-04-11 15:50 <DIR> d-------- C:\Program Files\Common Files\supportsoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 16:57 4,224 ----a-w C:\WINDOWS\system32\drivers\beep.sys
2008-04-14 16:57 4,224 ----a-w C:\WINDOWS\system32\dllcache\beep.sys
2008-04-12 19:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-11 21:03 --------- d-----w C:\Program Files\Trend Micro
2008-04-11 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-03-26 21:47 --------- d-----w C:\Documents and Settings\Henry Latour\Application Data\AdobeUM
2008-03-11 20:12 3,412 ----a-w C:\WINDOWS\system32\PerfStringBackup.TMP
2008-03-06 23:29 --------- d-----w C:\Program Files\a-squared Free
2008-03-06 22:30 --------- d-----w C:\Program Files\DIGStream
2008-02-25 18:13 3,852 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-22 23:44 86,016 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-02-20 14:59 --------- d-----w C:\Documents and Settings\mcgrunt\Application Data\Seagull Software
2008-02-08 15:37 82,432 ----a-w C:\WINDOWS\system32\IEDFix.exe
2008-02-06 00:53 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-19 12:30 90,112 ----a-w C:\WINDOWS\updreg.exe
2005-12-12 19:16 360,600 -c--a-w C:\WINDOWS\Internet Logs\tvuninstall.exe
2005-05-12 03:36 12,288 -c----w C:\WINDOWS\Fonts\RandFont.dll
.
Files Infected - Win32.Agent.zb
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AT&T Global Network Client\NetSP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-19 08:30 102400]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2005-08-15 21:38 20553]
"NetSP - restore settings on power failure"="C:\Program Files\AT&T Global Network Client\NetSP.exe" [2008-01-19 08:30 10752]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-19 08:30 68856]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2008-01-19 08:30 460784]
"DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2008-04-11 16:45 202544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 16:01 67584]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2008-01-19 08:30 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 02:20 339968 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2008-01-19 08:30 344064]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 18:19 53248]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2008-01-19 08:30 57344]
"MBMon"="CTMBHA.DLL" [2005-05-19 10:54 1345520 C:\WINDOWS\system32\CTMBHA.DLL]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2008-01-19 08:30 90112]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2008-01-19 08:30 26112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-19 08:30 98304]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2008-01-19 08:30 127035]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2008-01-19 08:30 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-19 08:30 81920]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe" [2005-09-08 21:20 8192]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2008-01-19 08:30 823362]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-01-05 23:24 168448]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2008-01-19 08:30 49152]
"Corel Photo Downloader"="C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe" [2008-01-19 08:30 106496]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=

R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2006-01-16 10:56]
R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 09:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 13:06:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 13:06:21
ComboFix-quarantined-files.txt 2008-04-14 17:06:19
ComboFix2.txt 2008-04-14 15:22:45

Pre-Run: 142,809,821,184 bytes free
Post-Run: 142,797,012,992 bytes free
.
2008-01-22 17:48:59 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:11 PM, on 4/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\HiJack This\Coste.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144071332203
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7939 bytes
Shaba
2008-04-14, 19:25
Hi

All files below are infected to load a specific infection. The infection has been removed and that's why they are harmless but still infected. So you have to choose to either leave them as they are or to uninstall and reinstall the programs to which they belong to:

C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AT&T Global Network Client\NetSP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe

However, don't do it now anyway.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
Click the Save Report As... button (see red arrow below)
http://img.photobucket.com/albums/v666/sUBs/Kas-SaveReport-1.gif
In the Save as... prompt, select Desktop
In the File name box, name the file KasScan-ddmmyy (or similar)
In the Save as type prompt, select Text file (see below)
http://img.photobucket.com/albums/v666/sUBs/Kas-Savetxt.gif
Now click on the Save as Text button
Savethe file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only! Keep ALL other programs closed during the scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report
coste
2008-04-14, 20:03
Hi Shaba,
The browser IE7 will not allow Kaspersky to download its ActiveX controls.
When I go TOOLS>INTERNET OPTIONS>SECURITY> click on Internet, click-on Custom, to change the settings, Custom comes up blank, no check boxes.
Don't know what to do.
This is getting scary!
Thanks
Shaba
2008-04-15, 14:25
Hi

Then we use this:

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file in your next reply along with a fresh HijackThis log.
coste
2008-04-15, 20:21
Hi Shaba,
First the mbam log.
Malwarebytes' Anti-Malware 1.11
Database version: 633

Scan type: Full Scan (C:\|)
Objects scanned: 102994
Time elapsed: 29 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 313

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Documents and Settings\Henry Latour\Application Data\antivirus.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP349\A0022424.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022559.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022560.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022565.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022569.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022575.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\A0022581.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-1.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-10.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-11.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-12.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-13.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-14.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-15.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-16.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-17.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-18.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-19.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-2.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-20.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-21.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-22.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-23.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-24.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-25.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-26.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-27.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-28.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-29.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-3.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-30.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-31.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-32.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-33.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-34.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-35.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-36.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-37.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-38.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-39.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-4.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-40.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-41.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-42.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-43.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-44.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-45.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-46.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-47.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-48.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-49.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-5.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-50.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-51.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-52.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-53.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-54.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-55.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-56.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-57.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-58.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-59.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-6.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-60.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-61.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-62.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-63.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-64.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-65.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-66.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-67.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-68.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-69.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-7.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-70.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-71.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-72.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-73.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-74.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-75.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-76.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-77.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-78.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-79.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-8.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-80.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-81.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-82.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-83.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-84.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-85.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-86.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-87.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-88.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-89.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-9.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-90.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-91.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-92.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-93.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-94.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP350\snapshot\MFEX-95.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024590.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024591.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024593.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024594.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024596.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024598.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\A0024599.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-1.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-10.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-11.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-12.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-13.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-14.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-15.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-16.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-17.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-18.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-19.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-2.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-20.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-21.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-22.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-23.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-24.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-25.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-26.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-27.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-28.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-29.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-3.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-30.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-31.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-32.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-33.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-34.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-35.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-36.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-37.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-38.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-39.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-4.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-40.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-41.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-42.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-43.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-44.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-45.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-46.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-47.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-48.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-49.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-5.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-50.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-51.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-52.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-6.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-7.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-8.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP351\snapshot\MFEX-9.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\A0024600.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\A0024601.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\A0024664.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-1.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-10.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-11.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-12.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-13.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-14.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-15.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-16.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-17.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-18.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-19.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-2.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-20.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-21.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-22.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-23.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-24.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-25.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-26.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-27.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-28.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-29.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-3.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-30.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-31.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-32.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-33.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-34.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-35.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-36.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-37.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-38.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-39.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-4.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-40.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-41.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-42.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-43.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-44.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-45.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-46.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-47.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-48.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-49.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-5.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-50.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-51.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-52.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-53.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-54.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-55.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-56.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-57.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-58.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-59.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-6.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-60.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-61.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-62.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-63.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-64.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-65.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-66.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-7.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-8.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP352\snapshot\MFEX-9.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\A0024669.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\A0024671.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-1.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-10.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-11.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-12.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-13.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-14.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-15.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-16.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-17.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-18.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-19.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-2.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-20.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-21.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-22.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-23.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-24.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-25.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-26.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-27.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-28.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-29.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-3.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-30.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-31.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-32.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-33.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-34.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-35.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-36.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-37.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-38.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-39.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-4.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-40.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-41.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-42.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-43.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-44.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-45.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-46.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-47.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-48.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-49.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-5.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-50.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-51.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-52.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-53.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-54.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-55.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-56.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-57.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-58.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-59.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-6.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-60.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-61.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-62.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-7.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-8.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP353\snapshot\MFEX-9.DAT (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP354\A0024811.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP354\A0024813.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP355\A0024862.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP355\A0024864.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP355\A0024903.dll (Trojan.Qhost) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP359\A0027235.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP359\A0027365.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP362\A0027435.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP369\A0028674.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP369\A0028684.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP376\A0028977.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP384\A0029294.exe (Trojan.Pakes) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP396\A0029639.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcfmtkn.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fihsrqhcb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nedsbqdsbqdsr.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sjqtofipsredsr.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\inf\ultra.PNF (Malware.Trace) -> Quarantined and deleted successfully.
Now the new HiJack This Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:15:57 PM, on 4/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 SP2 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\DOCUME~1\HENRYL~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJack This\Coste.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144071332203
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7889 bytes
Shaba
2008-04-16, 10:25
Hi

That looks good :)

Still problems?
coste
2008-04-16, 17:46
Hi Shaba,
First, Thank you very much for all the help!
There still seems to be a problem with IE7. When I go to Tools > Internet Options > Security
> Internet > Custom the selection screen is blank, no check boxes.
The same result if I select Tools > Internet Options > Advanced no check boxes.
In the Advanced Menu there is a rest button, I've never tried it, do you think it is worth
a shot?
Every thing else seems to be running much better!
Shaba
2008-04-16, 18:52
Hi

This (http://www.daniweb.com/forums/thread1444.html) might help.
coste
2008-04-16, 19:16
Hi Shaba,
I followed the link in you post.
These are the instructions I tried to follow:
Key : HKCU \Software \Policies \Microsoft \Internet Explorer \Control Panel
Entry : AdvancedTab
System : 95, 98, ME, NT, 2K
Type : REG_DWORD
Range : 0 or 1
Default : 0
1 : Removes the Advanced tab from Internet Explorer 5 Options icon.
But, When I tried to run Regedit I Got this error.
regedit.exe - Application Error
The application failed to initialize properly (0xc0000005). Click on OK to terminate the application.
At any Rate my Advanced Tab is not missing, the content (check Boxes) under the Advanced Tab are missing.
Thanks.
Shaba
2008-04-16, 19:21
Hi

Try to replace your copy of regedit with this (http://andymanchesta.com/Files/regedit.exe) and try again, please.
coste
2008-04-16, 19:33
Hi Shaba,
I followed your link. I downloaded the new regedit file to the Desktop and tried to run it (from the Desktop). I got to the same error.
Do want me to replace the old regedit file with the new one?
Thanks.
Shaba
2008-04-16, 19:35
Hi

Yes :)
coste
2008-04-16, 19:46
Shaba,
I replaced regedit.exe in c:\windows with the new one.
Then Start > Run > regedit.exe > OK
I got the same error.
Thanks
Shaba
2008-04-16, 19:48
Hi

Then that might mean that malware has in some way corrupted or system or parts of it.

Download OTScanIt.exe (http://download.bleepingcomputer.com/oldtimer/OTScanIt.exe) to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.

In the Files Created Within group click 30 days
In the Files Modified Within group select 30 days
In the File String Search group select Non-Microsoft

Now click the Run Scan button on the toolbar.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
coste
2008-04-16, 20:00
Shaba,
Scan ran OK. Here is the log.


OTScanIt logfile created on: 4/16/2008 1:52:50 PM
OTScanIt by OldTimer - Version 1.0.9.0 Folder = C:\Documents and Settings\Henry Latour\Desktop\OTScanIt
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.07 Mb Total Physical Memory | 553.46 Mb Available Physical Memory | 54.15% Memory free
2.40 Gb Paging File | 2.03 Gb Available in Paging File | 84.63% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 144.31 Gb Total Space | 132.99 Gb Free Space | 92.15% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DCVN3491
Current User Name: Henry Latour
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
ati2evxx.exe -> %SystemRoot%\system32\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 380928 bytes | Modified Date = 8/4/2005 6:02:58 AM | Attr = ]
aolacsd.exe -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online, Inc. [Ver = 2.0.20.1.US.1 | Size = 1135728 bytes | Modified Date = 4/7/2004 2:07:32 PM | Attr = ]
ctsvccda.exe -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 9:01:00 AM | Attr = ]
netcfgsv.exe -> %ProgramFiles%\AT&T Global Network Client\NetCfgSv.EXE -> AT&T [Ver = 6.5.0.3000 | Size = 196672 bytes | Modified Date = 1/16/2006 8:00:00 AM | Attr = ]
pcctlcom.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\PcCtlCom.exe -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 880723 bytes | Modified Date = 8/30/2005 6:30:28 PM | Attr = ]
hpzipm12.exe -> %SystemRoot%\system32\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 12:14:36 PM | Attr = ]
sprtsvc.exe -> %ProgramFiles%\Dell Support Center\bin\sprtsvc.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr = ]
tmntsrv.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\Tmntsrv.exe -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 290889 bytes | Modified Date = 8/30/2005 6:30:32 PM | Attr = ]
tmproxy.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\tmproxy.exe -> Trend Micro Inc. [Ver = 1.0.0.1135 | Size = 262215 bytes | Modified Date = 8/30/2005 6:30:34 PM | Attr = ]
tmpfw.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\TmPfw.exe -> Trend Micro Inc. [Ver = 2.0.0.1135 | Size = 585792 bytes | Modified Date = 8/30/2005 6:30:34 PM | Attr = ]
jusched.exe -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe -> [Ver = | Size = 32881 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
stsystra.exe -> %SystemRoot%\stsystra.exe -> SigmaTel, Inc. [Ver = 1.0.4450.0 nd83 cp1 | Size = 339968 bytes | Modified Date = 3/23/2005 2:20:44 AM | Attr = ]
dvdlauncher.exe -> %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe -> CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 2/23/2005 6:19:56 PM | Attr = ]
ctsysvol.exe -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\ctsysvol.exe -> Creative Technology Ltd [Ver = 1.4.5.0 | Size = 57344 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
realplay.exe -> %ProgramFiles%\Real\RealPlayer\realplay.exe -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
tfswctrl.exe -> %SystemRoot%\system32\dla\tfswctrl.exe -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
issch.exe -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
pccguide.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\pccguide.exe -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 823362 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
googledesktop.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktop.exe -> [Ver = | Size = 168448 bytes | Modified Date = 1/5/2006 11:24:29 PM | Attr = ]
hpwuschd2.exe -> %ProgramFiles%\HP\HP Software Update\hpwuschd2.exe -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 49152 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
mediadetect.exe -> %ProgramFiles%\Corel\Corel Photo Album 6\mediadetect.exe -> Corel, Inc. [Ver = 6.0.0 (20050831.10) | Size = 106496 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
clclean.0001 -> %SystemDrive%\DOCUME~1\HENRYL~1\LOCALS~1\Temp\clclean.000 -> File not found
ctdetect.exe -> %ProgramFiles%\Creative\MediaSource\Detector\ctdetect.exe -> Creative Technology Ltd [Ver = 3.0.2.0 | Size = 102400 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
tmas_oemon.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe -> Trend Micro Inc. [Ver = 3.5.0.1113 | Size = 20553 bytes | Modified Date = 8/15/2005 9:38:50 PM | Attr = ]
googledesktopindex.exe -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktopIndex.exe -> [Ver = | Size = 553472 bytes | Modified Date = 1/5/2006 11:24:29 PM | Attr = ]
dsagnt.exe -> %ProgramFiles%\DellSupport\dsagnt.exe -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
sprtcmd.exe -> %ProgramFiles%\Dell Support Center\bin\sprtcmd.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 4/11/2008 4:45:37 PM | Attr = ]
mim.exe -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\mim.exe -> Musicmatch, Inc. [Ver = 10.10.0097 | Size = 464384 bytes | Modified Date = 9/8/2005 9:20:46 PM | Attr = ]
mmdiag.exe -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\MMDiag.exe -> Musicmatch, Inc. [Ver = 10.10.0097 | Size = 102400 bytes | Modified Date = 9/8/2005 9:20:46 PM | Attr = ]
creativelicensing.exe -> %CommonProgramFiles%\Creative Labs Shared\Service\CreativeLicensing.exe -> Creative Labs [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 1/5/2006 11:10:49 PM | Attr = ]
googletoolbarnotifier.exe -> %ProgramFiles%\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.9.0 | Size = 369152 bytes | Modified Date = 4/4/2008 12:24:38 PM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running] -> %CommonProgramFiles%\AOL\ACS\AOLacsd.exe -> America Online, Inc. [Ver = 2.0.20.1.US.1 | Size = 1135728 bytes | Modified Date = 4/7/2004 2:07:32 PM | Attr = ]
(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running] -> %SystemRoot%\system32\ati2evxx.exe -> ATI Technologies Inc. [Ver = 6.14.10.4118 | Size = 380928 bytes | Modified Date = 8/4/2005 6:02:58 AM | Attr = ]
(Creative Labs Licensing Service) Creative Labs Licensing Service [Win32_Own | On_Demand | Running] -> %CommonProgramFiles%\Creative Labs Shared\Service\CreativeLicensing.exe -> Creative Labs [Ver = 2.65.010 | Size = 69632 bytes | Modified Date = 1/5/2006 11:10:49 PM | Attr = ]
(Creative Service for CDROM Access) Creative Service for CDROM Access [Win32_Own | Auto | Running] -> %SystemRoot%\system32\CTSVCCDA.EXE -> Creative Technology Ltd [Ver = 1.0.1.0 | Size = 44032 bytes | Modified Date = 12/13/1999 9:01:00 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/10/2004 7:00:00 AM | Attr = ]
(DSBrokerService) DSBrokerService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\DellSupport\brkrsvc.exe -> [Ver = 1, 0, 0, 8 | Size = 76848 bytes | Modified Date = 3/7/2007 4:47:46 PM | Attr = ]
(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Google\Common\Google Updater\GoogleUpdaterService.exe -> Google [Ver = 2.0.734.29932.beta | Size = 138168 bytes | Modified Date = 11/21/2007 10:20:47 AM | Attr = ]
(NetCfgSvr) Network Configuration Service [Win32_Own | Auto | Running] -> %ProgramFiles%\AT&T Global Network Client\NetCfgSv.EXE -> AT&T [Ver = 6.5.0.3000 | Size = 196672 bytes | Modified Date = 1/16/2006 8:00:00 AM | Attr = ]
(NetSvc) Intel NCS NetService [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Intel\PROSetWired\NCS\Sync\NetSvc.exe -> Intel(R) Corporation [Ver = 2.2.7.0 | Size = 147456 bytes | Modified Date = 11/19/2004 1:26:40 PM | Attr = ]
(PcCtlCom) Trend Micro Central Control Component [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Internet Security 12\PcCtlCom.exe -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 880723 bytes | Modified Date = 8/30/2005 6:30:28 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | Auto | Running] -> %SystemRoot%\system32\HPZipm12.exe -> HP [Ver = 9, 0, 0, 0 | Size = 69632 bytes | Modified Date = 9/29/2004 12:14:36 PM | Attr = ]
(sprtsvc_dellsupportcenter) SupportSoft Sprocket Service (dellsupportcenter) [Win32_Own | Auto | Running] -> %ProgramFiles%\Dell Support Center\bin\sprtsvc.exe -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 11/15/2007 9:23:56 AM | Attr = ]
(Tmntsrv) Trend Micro Real-time Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Internet Security 12\Tmntsrv.exe -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 290889 bytes | Modified Date = 8/30/2005 6:30:32 PM | Attr = ]
(TmPfw) Trend Micro Personal Firewall [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Internet Security 12\TmPfw.exe -> Trend Micro Inc. [Ver = 2.0.0.1135 | Size = 585792 bytes | Modified Date = 8/30/2005 6:30:34 PM | Attr = ]
(tmproxy) Trend Micro Proxy Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Trend Micro\Internet Security 12\tmproxy.exe -> Trend Micro Inc. [Ver = 1.0.0.1135 | Size = 262215 bytes | Modified Date = 8/30/2005 6:30:34 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
ATIPTA -> %ProgramFiles%\ATI Technologies\ATI Control Panel\atiptaxx.exe ["C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"] -> ATI Technologies, Inc. [Ver = 6.14.10.5160 | Size = 344064 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
Corel Photo Downloader -> %ProgramFiles%\Corel\Corel Photo Album 6\mediadetect.exe [C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe] -> Corel, Inc. [Ver = 6.0.0 (20050831.10) | Size = 106496 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
CTSysVol -> %ProgramFiles%\Creative\SBAudigy\Surround Mixer\ctsysvol.exe [C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r] -> Creative Technology Ltd [Ver = 1.4.5.0 | Size = 57344 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
dla -> %SystemRoot%\system32\dla\tfswctrl.exe [C:\WINDOWS\system32\dla\tfswctrl.exe] -> Sonic Solutions [Ver = 1.04.08a | Size = 127035 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
dscactivate -> %ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe ["C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"] -> [Ver = 1.0.2767.18581 | Size = 16384 bytes | Modified Date = 11/15/2007 9:24:00 AM | Attr = ]
DVDLauncher -> %ProgramFiles%\CyberLink\PowerDVD\DVDLauncher.exe ["C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"] -> CyberLink Corp. [Ver = 3.00.0000 | Size = 53248 bytes | Modified Date = 2/23/2005 6:19:56 PM | Attr = ]
Google Desktop Search -> %ProgramFiles%\Google\Google Desktop Search\GoogleDesktop.exe ["C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup] -> [Ver = | Size = 168448 bytes | Modified Date = 1/5/2006 11:24:29 PM | Attr = ]
HP Software Update -> %ProgramFiles%\HP\HP Software Update\hpwuschd2.exe [C:\Program Files\HP\HP Software Update\HPWuSchd2.exe] -> Hewlett-Packard Co. [Ver = 53.0.13.000 | Size = 49152 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
ISUSPM Startup -> %CommonProgramFiles%\InstallShield\UpdateService\isuspm.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup] -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 249856 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
ISUSScheduler -> %CommonProgramFiles%\InstallShield\UpdateService\issch.exe ["C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start] -> InstallShield Software Corporation [Ver = 4, 50, 100, 33433 | Size = 81920 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
MBMon -> %SystemRoot%\system32\CTMBHA.DLL [Rundll32 CTMBHA.DLL,MBMon] -> [Ver = 1.0.1.22 | Size = 1345520 bytes | Modified Date = 5/19/2005 10:54:00 AM | Attr = ]
MimBoot -> %ProgramFiles%\MUSICMATCH\Musicmatch Jukebox\mimboot.exe [C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe] -> Musicmatch, Inc. [Ver = 10.10.0097 | Size = 8192 bytes | Modified Date = 9/8/2005 9:20:46 PM | Attr = ]
pccguide.exe -> %ProgramFiles%\Trend Micro\Internet Security 12\pccguide.exe ["C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"] -> Trend Micro Incorporated. [Ver = 12.70.0.1017 | Size = 823362 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
QuickTime Task -> %ProgramFiles%\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> Apple Computer, Inc. [Ver = 6.5 | Size = 98304 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
RealTray -> %ProgramFiles%\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER] -> RealNetworks, Inc. [Ver = 6.0.9.584 | Size = 26112 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
SigmatelSysTrayApp -> %SystemRoot%\stsystra.exe [stsystra.exe] -> SigmaTel, Inc. [Ver = 1.0.4450.0 nd83 cp1 | Size = 339968 bytes | Modified Date = 3/23/2005 2:20:44 AM | Attr = ]
SunJavaUpdateSched -> %ProgramFiles%\Java\j2re1.4.2_03\bin\jusched.exe [C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe] -> [Ver = | Size = 32881 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
UpdReg -> %SystemRoot%\updreg.exe [C:\WINDOWS\UpdReg.EXE] -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
Creative Detector -> %ProgramFiles%\Creative\MediaSource\Detector\ctdetect.exe ["C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R] -> Creative Technology Ltd [Ver = 3.0.2.0 | Size = 102400 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
DellSupport -> %ProgramFiles%\DellSupport\dsagnt.exe ["C:\Program Files\DellSupport\DSAgnt.exe" /startup] -> Gteko Ltd. [Ver = 3, 0, 0, 197 | Size = 460784 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
DellSupportCenter -> %ProgramFiles%\Dell Support Center\bin\sprtcmd.exe ["C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter] -> SupportSoft, Inc. [Ver = 7.0.585.0 | Size = 202544 bytes | Modified Date = 4/11/2008 4:45:37 PM | Attr = ]
NetSP - restore settings on power failure -> %ProgramFiles%\AT&T Global Network Client\netsp.exe ["C:\Program Files\AT&T Global Network Client\NetSP.exe" -show] -> AT&T [Ver = 6.5.0.3000 | Size = 10752 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
OE_OEM -> %ProgramFiles%\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe ["C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"] -> Trend Micro Inc. [Ver = 3.5.0.1113 | Size = 20553 bytes | Modified Date = 8/15/2005 9:38:50 PM | Attr = ]
SetDefaultMIDI -> %SystemRoot%\MIDIDEF.EXE [MIDIDef.exe] -> Creative Technology Ltd [Ver = 2, 9, 0, 4 | Size = 24576 bytes | Modified Date = 12/22/2004 7:40:02 PM | Attr = ]
swg -> %ProgramFiles%\Google\GoogleToolbarNotifier\googletoolbarnotifier.exe [C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe] -> Google Inc. [Ver = 2, 0, 301, 1654 | Size = 68856 bytes | Modified Date = 1/19/2008 8:30:35 AM | Attr = ]
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
< Henry Latour Startup Folder > -> C:\Documents and Settings\Henry Latour\Start Menu\Programs\Startup ->
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoCDBurning -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\\{17492023-C23A-453E-A040-C7C580BBF700} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallVisualStyle -> C:\WINDOWS\Resources\Themes\Royale\Royale.mss [C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\InstallTheme -> C:\WINDOWS\Resources\Themes\Royale.the [C:\WINDOWS\Resources\Themes\Royale.theme] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableRegistryTools -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://www.google.com ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\Default_Search_URL -> http://www.google.com/ie ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://www.google.com/ie ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\windows\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Bar -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.google.com ->
HKEY_CURRENT_USER\: Main\\Start Page -> http://www.google.com ->
HKEY_CURRENT_USER\: Search\\SearchAssistant -> http://www.google.com/ie ->
HKEY_CURRENT_USER\: SearchURL\\ -> http://www.google.com/search?q=%s[Reg Error: Value provider does not exist or could not be read.] ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 2 domain(s) found. ->
online_musicmatch.com [https] -> Trusted sites ->
2 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. ->
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll [Google Toolbar Notifier BHO] -> Google Inc. [Ver = 3, 0, 1225, 9868 | Size = 734704 bytes | Modified Date = 4/16/2008 1:27:41 PM | Attr = ]
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{2318C2B1-4965-11d4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Google\GoogleToolbar3.dll [&Google] -> Google Inc. [Ver = 4, 0, 1601, 4978 | Size = 2403392 bytes | Modified Date = 1/20/2007 12:55:32 AM | Attr = R ]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}:{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Sun Java Console] -> File not found
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKEY_LOCAL_MACHINE] -> [Sun Java Console] -> File not found
CmdMapping\\{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{5449A36A-5B35-4799-9FB6-8AAAA2DF503E} -> (Intel(R) PRO/100 VE Network Connection) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{6414512B-B978-451D-A0D8-FCFDF33E833C}[HKEY_LOCAL_MACHINE] -> http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1144071332203[WUWebControl Class] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\.Owner -> Unknown Owner ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/system32/wuweb.dll\\{6414512B-B978-451D-A0D8-FCFDF33E833C} -> ->



[Files/Folders - Created Within 30 days]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071796224 bytes | Created Date = 4/14/2008 10:17:29 AM | Attr = HS]
HiJack This -> %SystemDrive%\HiJack This -> [Folder | Created Date = 4/14/2008 8:32:45 AM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 4/14/2008 11:15:57 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 4/14/2008 11:16:28 AM | Attr = ]
fdsv.exe -> %SystemRoot%\fdsv.exe -> Smallfrogs Studio [Ver = 1.0.0.10 | Size = 73728 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
grep.exe -> %SystemRoot%\grep.exe -> [Ver = | Size = 80412 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.05 | Size = 28160 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
sed.exe -> %SystemRoot%\sed.exe -> [Ver = | Size = 98816 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
swreg.exe -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
swsc.exe -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
swxcacls.exe -> %SystemRoot%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 4/14/2008 1:06:23 PM | Attr = ]
VFind.exe -> %SystemRoot%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]
zip.exe -> %SystemRoot%\zip.exe -> [Ver = | Size = 68096 bytes | Created Date = 4/14/2008 11:15:56 AM | Attr = ]

[Files/Folders - Modified Within 30 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 4/16/2008 11:50:30 AM | Attr = H ]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 1071796224 bytes | Modified Date = 4/16/2008 11:19:28 AM | Attr = HS]
HiJack This -> %SystemDrive%\HiJack This -> [Folder | Modified Date = 4/15/2008 2:15:49 PM | Attr = ]
PAS13 -> %SystemDrive%\PAS13 -> [Folder | Modified Date = 3/31/2008 2:08:39 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 4/15/2008 1:40:30 PM | Attr = ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 4/14/2008 1:06:22 PM | Attr = ]
Spybot -> %SystemDrive%\Spybot -> [Folder | Modified Date = 4/12/2008 3:50:13 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 4/16/2008 11:20:12 AM | Attr = ]
etc -> %SystemRoot%\System32\drivers\etc -> [Folder | Modified Date = 4/14/2008 11:20:06 AM | Attr = ]
hosts -> %SystemRoot%\System32\drivers\etc\hosts -> [Ver = | Size = 27 bytes | Modified Date = 4/14/2008 11:20:06 AM | Attr = ]
CatRoot2 -> %SystemRoot%\System32\CatRoot2 -> [Folder | Modified Date = 4/16/2008 11:20:04 AM | Attr = ]
2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp ->
config -> %SystemRoot%\System32\config -> [Folder | Modified Date = 4/14/2008 11:18:30 AM | Attr = ]
dllcache -> %SystemRoot%\System32\dllcache -> [Folder | Modified Date = 4/16/2008 1:42:22 PM | Attr = RHS]
drivers -> %SystemRoot%\System32\drivers -> [Folder | Modified Date = 4/14/2008 11:23:26 AM | Attr = ]
wpa.dbl -> %SystemRoot%\System32\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 4/16/2008 11:20:05 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 4/16/2008 11:19:32 AM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 4/14/2008 11:18:21 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 4/15/2008 2:14:49 PM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 4/16/2008 11:50:31 AM | Attr = HS]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 4/16/2008 1:52:02 PM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 4/16/2008 11:19:57 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 4/14/2008 1:06:00 PM | Attr = ]
system32 -> %SystemRoot%\system32 -> [Folder | Modified Date = 4/15/2008 2:14:49 PM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 4/16/2008 11:50:21 AM | Attr = ]
Web -> %SystemRoot%\Web -> [Folder | Modified Date = 4/14/2008 11:18:14 AM | Attr = R ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 4/16/2008 11:19:35 AM | Attr = H ]
eHomeLog-0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-0.dat -> [Ver = | Size = 268 bytes | Modified Date = 8/16/2005 6:50:18 AM | Attr = H ]
eHomeLog-1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-1.dat -> [Ver = | Size = 268 bytes | Modified Date = 8/16/2005 6:50:42 AM | Attr = H ]
eHomeLog-2.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-2.dat -> [Ver = | Size = 268 bytes | Modified Date = 8/16/2005 6:52:08 AM | Attr = H ]
eHomeLog-3.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\eHomeLog-3.dat -> [Ver = | Size = 268 bytes | Modified Date = 8/16/2005 11:05:58 PM | Attr = H ]
qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat -> [Ver = | Size = 14738 bytes | Modified Date = 4/16/2008 11:50:07 AM | Attr = ]
qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat -> [Ver = | Size = 4617 bytes | Modified Date = 4/16/2008 11:55:03 AM | Attr = ]
ActivationGui.dll -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0000\ActivationGui.dll -> Creative Technology Ltd. [Ver = 2.1.1.0 | Size = 204800 bytes | Modified Date = 4/16/2008 11:20:24 AM | Attr = ]
ApiExShell.dll -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0000\ApiExShell.dll -> Creative Technology Ltd. [Ver = 2.1.1.0 | Size = 77824 bytes | Modified Date = 4/16/2008 11:20:24 AM | Attr = ]
3 C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0000\*.tmp files -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0000\*.tmp ->
ActivationGui.dll -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0002\ActivationGui.dll -> Creative Technology Ltd. [Ver = 2.1.1.0 | Size = 204800 bytes | Modified Date = 4/15/2008 1:33:56 PM | Attr = ]
ApiExShell.dll -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0002\ApiExShell.dll -> Creative Technology Ltd. [Ver = 2.1.1.0 | Size = 77824 bytes | Modified Date = 4/15/2008 1:33:56 PM | Attr = ]
3 C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0002\*.tmp files -> C:\Documents and Settings\Henry Latour\Local Settings\Temp\clclean.0001.dir.0002\*.tmp ->

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.05 | Size = 28160 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
PEC2 , -> %SystemRoot%\System32\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/10/2004 7:00:00 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\IEDFix.exe -> S!Ri.URZ [Ver = | Size = 82432 bytes | Modified Date = 2/8/2008 11:37:48 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\SrchSTS.exe -> S!Ri [Ver = | Size = 288417 bytes | Modified Date = 4/27/2006 5:49:30 PM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\VACFix.exe -> S!Ri.URZ [Ver = | Size = 86016 bytes | Modified Date = 2/22/2008 7:44:12 PM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\VCCLSID.exe -> S!Ri [Ver = | Size = 289144 bytes | Modified Date = 9/6/2007 12:22:24 AM | Attr = ]
winsync , -> %SystemRoot%\System32\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/10/2004 7:00:00 AM | Attr = ]
UPX! , UPX0 , -> %SystemRoot%\System32\WS2Fix.exe -> [Ver = | Size = 25600 bytes | Modified Date = 10/4/2007 12:36:46 AM | Attr = ]
Thawte Consulting , -> %SystemRoot%\System32\XceedFtp.dll -> Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com [Ver = 1.1.129.0 | Size = 279392 bytes | Modified Date = 8/31/2005 12:35:40 PM | Attr = ]
UPX! , aspack , -> %SystemRoot%\System32\drivers\VsapiNT.sys -> Trend Micro Inc. [Ver = 8.000-1001 | Size = 1022432 bytes | Modified Date = 11/9/2005 8:07:30 PM | Attr = ]

< End of report >
Shaba
2008-04-17, 10:06
Hi

Nothing special there.

We have two choices.

We can try to continue finding out what is the reason or I can redirect you to some windows where should be people who know these things much better.

Let me know your decision :)
coste
2008-04-17, 16:39
Hi Shaba,
If you think continuing with this would be productive. I would be happy to continue with this thread. It has been very interesting for me. This is not my primary system and nothing on it is important to me. I bought at a good price because it was being replaced and it had "a virus on it".
However, if you think it is time to move on I understand and I would appreciate any guidence you can provide.
Thank you again for all the help you have given me!
Shaba
2008-04-17, 16:50
Hi

Let's try this

START - RUN
type cmd
then Type SFC /scannow (it might ask for a CD).

Let me know if it works after that.
coste
2008-04-17, 17:45
Hi
I ran SFC /scannow. About half way into the scan it asked Windows XP Professiona installation CD. I do not have the Windows CD that came with this system, the person I purchased it from " is looking for them".
I put the Windows XP Professional CD that came with my system into the CD drive. The scan continued almost to the end.
Now I get these messages.
Windows File Protection
Files that are required for Windows to run properly must be copied to the DLL Cache. Retry > More Information > Cancel
When I click-on Retry I get
Windows File Protection
The CD provided is the wrong CD
Please insert the Windows XP Professional CD2 into your CD-ROM Drive.
Sorry I guess this is a dead end. I may be able to get another CD Windows XP Media Center Edition that is the same as the one on this system, Just not the same registration code, but not today.
thanks
Shaba
2008-04-17, 18:32
Hi

Yes, you will need CD for exactly the same OS you have installed.

Let me know how it went.
coste
2008-04-18, 16:13
Hi Shaba,
I got the Windows XP CD that I needed.
I ran SFC /scannow and it completed the scan. It didn't generate any kind of a report.
I re-booted the system and Regedit runs OK now.
The only remaining item is IE7. Tools > Internet Options > Advanced Tab is still blank (no check boxes, the control buttons are there).
The same for Tools > Internet Options > Security > Internet > Custom
Thanks!
Shaba
2008-04-18, 18:03
Hi

I suggest that you uninstall and re-install IE7. Post back if it helped :)
coste
2008-04-18, 18:40
Hi,
I downloaded IE& from Microsoft.com. But, IE& is not on the Add/Remove program list. Is there another way to remove it?
Thanks.
Shaba
2008-04-18, 18:44
Hi

See here (http://support.microsoft.com/kb/927177)
coste
2008-04-18, 19:16
Hi,
Made hidden files and hidden folders visible.
When I try to run
%windir%\ie7\spuninst\spuninst.exe
I get the error message
c:\windows\ie7\spuninst\spuninst.exe
Windows cannot find 'c:\windows\ie7\spuninst\spuninst.exe,'. Make sure you typed the name
correctly, and then try again. To search for a file, click the start button, and then click
search.
A search for spuninst.exe returns many instances of spuninst.exe, more than 100.
Most in directories like:
c:\windows\$uninstallKB892763$
c:\windows\$hf_mig$\KB873339 (many insatnces of this directory,just numbers change)
No results with c:\windows\ie7\spuninst\
Thanks
Shaba
2008-04-18, 19:33
Hi

Go in to Add/Remove programs. It doesn't show up in the regular programs list.

Now, if you have Win XP, on the left there's a button that says "Add/Remove Windows Components."

Does it show up now?
coste
2008-04-18, 19:48
Hi,
Yes. But, it shows the size as 0.0MB. The description is
Adds or removes access to Internet Explorer from the Start Menu
and Desktop.
Do you want me to uncheck it?
Thanks
Shaba
2008-04-18, 19:50
Hi

One option would be install IE 8 beta if you like to?
coste
2008-04-18, 19:56
Hi,
Yes, what the heck.
What do I do go to Microsft.com and search for it?
Thanks.
Shaba
2008-04-18, 19:58
Hi

Here (http://www.microsoft.com/windows/products/winfamily/ie/ie8/getitnow.mspx)
is the link
coste
2008-04-18, 20:23
Hi Shaba,
That did it.
All the check Boxes are back.
I'll have fun playing with it.
What about things like;
Spybot
AdAware
Spyware Blaster
SpywareGuard
Will I still be able to use them?
Thanks for hanging inthere Shaba. Greatly appreciated.
Shaba
2008-04-19, 11:20
Hi

Great news :bigthumb:

"What about things like;
Spybot
AdAware
Spyware Blaster
SpywareGuard
Will I still be able to use them?"

Yes.

Any other issues left?
coste
2008-04-19, 17:37
Hi Shaba,
Everything seems to be running OK!::bigthumb:
A couple of Questions.
1. Early in the thread, you posted
"All files below are infected to load a specific infection. The infection has been removed
and that's why they are harmless but still infected. So you have to choose to either leave
them as they are or to uninstall and reinstall the programs to which they belong to":
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\UpdReg.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Corel\Corel Photo Album 6\MediaDetect.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\AT&T Global Network Client\NetSP.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe

However, don't do it now anyway.
For things like this:
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I can replace the apps, not a problem.
But, for things like this:
C:\WINDOWS\system32\dla\tfswctrl.exe
Is it associated with an app. or should I just delete the File?
2. are you able to determine the malware that took over this system, or was it just bombed?
Thank you.
Shaba
2008-04-19, 17:46
Hi

1. There is no 100% need to replace them like I said. They are patched but harmless.

For that file, see here (http://www.liutilities.com/products/wintaskspro/processlibrary/tfswctrl/)

2. Main thing was fake beep.sys (prevented HjT + combo run unless renamed) which came with vundo + friends "package"

Any other worries? :)
coste
2008-04-19, 17:55
Hi,
The only thing that remains is,
To thank for all your assistance and to say it will be my pleasure to make a donation!
Any suggestions from you would be appreciated.
Thanks again!
Shaba
2008-04-19, 17:59
Hi

Just see my suggestions from below :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 6 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it saysThe Java SE Runtime Environment (JRE) allows end-users to run Java applications..
Click the Download button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP or Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean! :bigthumb:
coste
2008-04-19, 18:06
Hi Shaba,
Thanks for the suggestions. Rest assured that i will follow all your suggestions, as I have on my primary system.
It has been a pleasure working with you (following your instructions):D:
Thanks
Shaba
2008-04-22, 14:38
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.