PDA

View Full Version : HELP Needed with Smitfraud-C infection



tarix
2008-10-15, 03:24
;) Please Help Me !!
my computer I've been infected by a malaware named Smitfraud-C wich Spybot search&destroy have identified as such.

I've run Spybot search&destroy and it recognized it and cleaned almost intirely it, although it couldn't remove it completly (even in safe mode) it always rest (or find) at least 1 infection that can't be removed even if i start Spybot search&destroy when the computer starts.

I've read the "BEFORE you POST" thread and downloaded HJT, below is the log. :( Please Help !!!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:21:53, on 15-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\1\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netcabo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O2 - BHO: Torrent-Search Toolbar - {e0c7b854-d5ce-4db6-9804-be1438603d89} - C:\Program Files\Torrent-Search\tbTor0.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000013.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: Torrent-Search Toolbar - {e0c7b854-d5ce-4db6-9804-be1438603d89} - C:\Program Files\Torrent-Search\tbTor0.dll
O3 - Toolbar: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MSFox] C:\DOCUME~1\Casa\LOCALS~1\Temp\a.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [bCqf6PD0V0] C:\Documents and Settings\All Users\Application Data\dilupkzg\lqjinobu.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {651B27BB-07F3-46F6-91E2-73F48BDC7525} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {BAD3887C-C44F-436A-BE7E-184C47E66D09} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 14135 bytes

Shaba
2008-10-15, 12:02
Hi tarix

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

tarix
2008-10-15, 18:52
Hi Shaba, thanks for your help, this is being quite anoying the last days :sad: sorry for the time delayed to answer but i'm a newbie in this things more complicated i didn't want to mess up more, so i did it step by step ;) and also i think were'r in diferent time zones.

Here are the reports you asked:


ComboFix 08-10-14.07 - Casa 2008-10-15 16:08:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.423 [GMT 1:00]
Executando de: C:\Documents and Settings\Casa\Desktop\ComboFix.exe
Comandos utilizados :: C:\Documents and Settings\Casa\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Casa\Application Data\inst.exe
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\IE4 Error Log.txt
C:\WINDOWS\system32\msxml71.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))
.

2008-10-15 15:56 . 2008-10-15 15:56 <DIR> d-------- C:\spoolerlogs
2008-10-14 02:54 . 2008-10-14 02:54 <DIR> d-------- C:\Documents and Settings\Mãe\Application Data\MetaProducts
2008-10-14 02:54 . 2008-10-14 02:54 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MetaProducts
2008-10-14 02:22 . 2008-10-14 02:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-14 02:21 . 2008-10-15 12:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\dilupkzg
2008-10-14 01:09 . 2008-10-14 02:14 4,438 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-13 03:09 . 2008-10-13 23:56 181 --a------ C:\WINDOWS\wininit.ini
2008-10-13 02:15 . 2008-10-13 02:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-16 03:08 . 2008-09-16 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 14:55 --------- d-----w C:\Program Files\Torrent-Search
2008-10-15 14:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-14 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-14 01:54 --------- d-----w C:\Program Files\Download Express
2008-10-14 01:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-14 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-13 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-13 00:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-09-30 02:37 --------- d-----w C:\Program Files\Rainlendar2
2008-09-11 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-07 19:55 --------- d-----w C:\Documents and Settings\Casa\Application Data\Vso
2008-09-07 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-09-07 05:59 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-09-07 05:59 47,360 ----a-w C:\Documents and Settings\Casa\Application Data\pcouffin.sys
2008-09-07 05:59 --------- d-----w C:\Program Files\vso
2008-09-03 16:38 --------- d-----w C:\Program Files\Google
2008-08-31 22:02 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-08-31 21:54 --------- d-----w C:\Program Files\Java
2008-08-31 21:47 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-14 05:27 81,920 ----a-w C:\Documents and Settings\Casa\Application Data\ezpinst.exe
2008-04-04 02:51 14,290 ----a-w C:\Program Files\settings.dat
2008-03-21 16:12 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

<pre>
----a-w 18,851,397 2008-03-23 16:38:13 C:\Documents and Settings\Casa\My Documents\Downloads\Internet Explorer 7.0.5730.11 (AIO)\Internet Explorer 7.0.5730.11 .exe
</pre>


------- Sigcheck -------

2005-03-02 01:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 10:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2003-11-08 13:00 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 06:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 01:34 2067712 73c6d7f370eee2330162a8dd3302159c C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 06:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 19:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 09:38 2068480 bf7d3b9a67fdabb7ada4df7c0286b382 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-02 02:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 10:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2003-11-08 13:00 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 01:59 2190208 ba9c5fd985ba9de863f482b892b0e4ad C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 07:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 20:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 10:10 2191232 cc208534f5463d154da324ae9eceac78 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\VITrans\ntoskrnl.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb90f295-4524-4bd4-adb4-8dc333d67d6a}]
2008-03-13 11:30 1524248 --a------ C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 13:04 97064 --a------ C:\Program Files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2008-05-22 167936]
"Copernic Desktop Search 2"="C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [2008-02-13 1583624]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 65536]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 61440]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"PCTVRemote"="C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-29 61440]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2003-05-20 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 35328]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-27 184408]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IME JPN 2007 Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE" [2007-08-23 66936]
"Microsoft Pinyin IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-26 32560]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"bCqf6PD0V0"="C:\Documents and Settings\All Users\Application Data\dilupkzg\lqjinobu.exe" [N/A]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\Casa\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-04 575488]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
--a------ 2008-04-26 17:19 450560 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 u1pvdbs;SONY USB CAMERA Base Driver;C:\WINDOWS\system32\DRIVERS\u1pvdbs.sys [2001-11-27 6225]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51 13560]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-31 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 76040]
R2 NeroRegInCDSrv;Nero Registry InCD Service;C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-02-28 53032]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-04-27 93696]
R3 u1pvdsm;SONY USB CAMERA Video Capture Device;C:\WINDOWS\system32\DRIVERS\u1pvdsm.sys [2001-11-27 318419]
S3 tbHD;Philips PSC705 WDM Driver;C:\WINDOWS\system32\drivers\TBirdHD.sys [2002-06-04 336066]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858adae0-63cc-11dd-99f3-00805a2069c9}]
\Shell\Auto\command - G:\fun.xls.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL fun.xls.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
.
------- Scan Suplementar -------
.
FireFox -: Profile - C:\Documents and Settings\Casa\Application Data\Mozilla\Firefox\Profiles\eavgd1xx.default\
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 16:14:11
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


C:\WINDOWS\TEMP\c1008365-ee78-4870-af4b-1ca971810976.tmp 0 bytes

Varredura completada com sucesso
arquivos/ficheiros ocultos: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

PROCESSOS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\Program Files\VisualTaskTips\VttHooks.dll
-> C:\Program Files\Copernic Desktop Search 2\DesktopSearchSystem203000013.dll
.
------------------------ Outros Processos em Execução ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\searchindexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\IncrediMail\bin\ImApp.exe
C:\WINDOWS\system32\searchprotocolhost.exe
C:\WINDOWS\system32\searchfilterhost.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-10-15 16:25:51 - Máquina reiniciou
ComboFix-quarantined-files.txt 2008-10-15 15:25:22

Pré-execução: 3.118.997.504 bytes free
Pós execução: 3,028,475,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

240 --- E O F --- 2008-09-11 05:37:15


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:29:04, on 15-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Casa\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netcabo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000013.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKLM\..\Policies\Explorer\Run: [bCqf6PD0V0] C:\Documents and Settings\All Users\Application Data\dilupkzg\lqjinobu.exe
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {651B27BB-07F3-46F6-91E2-73F48BDC7525} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {BAD3887C-C44F-436A-BE7E-184C47E66D09} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 13116 bytes


thanks again for your help ;)

Shaba
2008-10-15, 19:01
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

tarix
2008-10-15, 19:16
I shaba, thought you were offline, i'm glad you're here
Here is what you asked (i hope i've done it whright :red: )

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
3D Windows XP Screen Saver
7-Zip 4.57
Adaptec UDF Reader
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player ActiveX
Adobe Photoshop Elements 6.0
Adobe Reader 8.1.2
Alt-Tab Task Switcher Powertoy for Windows XP
AM-DeadLink 3.2
Any FLV Player 2.0.0
Applian FLV Player
APSW In A Flash
Ashampoo WinOptimizer 5.00
AudioPix
AVG Free 8.0
Biometric Screensaver
BookmarkSync v2.3.2
BootSkin
Calculator Powertoy for Windows XP
CCleaner (remove only)
Classic Menu 3.x for Office 2007
ClearType Tuning Control Panel Applet
Collectorz.com Book Collector
ConvertXtoDVD 3.2.0.52
Copernic Agent Basic
Copernic Desktop Search 2
CubeDesktop 1.1.3
Desktop Icon Toy 3.2
Dicionário eletrônico Houaiss
Disco de recordações HP
Diskeeper Professional Edition
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DLL Toys International Edition 2004 R4
doPDF 6.0 printer
DScaler 4.1.10
DVD Decrypter (Remove Only)
DVD Shrink 3.2
E.M. Free PowerPoint Video Converter 1.0
eMusic - 50 Free MP3 offer
FLiP 3
Folder Size for Windows
Freeciv 2.0.9 (GTK+ client)
FreeRIP v2.60
GetPix (remove only)
getPlus(R)_ocx
Google Earth
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915800)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HP Photo and Imaging 2.1 - Scanjet 36X0 Series
Image Resizer Powertoy for Windows XP
ImTOO MP4 Video Converter
IncrediMail Xe
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Jigsaw Puzzle Lite (remove only)
K-Lite Codec Pack 3.2.5 Full
Kyodai Mahjongg 2006 v1.42
LightScribe System Software 1.10.23.1
Local Website Archive 2.1.0
LogonStudio
Magic ISO Maker v5.4 (build 0251)
Magic ISO Maker v5.4 (build 0256)
MagicDisc 2.6.93
MagicDisc 2.7.105
Magnifier Powertoy for Windows XP
Media Library Management Wizard
Messenger Plus! Live
MetaProducts Download Express
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office IME (Chinese (Simplified)) 2007
Microsoft Office IME (Chinese (Traditional)) 2007
Microsoft Office IME (Japanese) 2007
Microsoft Office IME (Korean) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (Arabic) 2007
Microsoft Office Proof (Basque) 2007
Microsoft Office Proof (Bulgarian) 2007
Microsoft Office Proof (Catalan) 2007
Microsoft Office Proof (Chinese (Simplified)) 2007
Microsoft Office Proof (Chinese (Traditional)) 2007
Microsoft Office Proof (Croatian) 2007
Microsoft Office Proof (Czech) 2007
Microsoft Office Proof (Danish) 2007
Microsoft Office Proof (Dutch) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (Estonian) 2007
Microsoft Office Proof (Finnish) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Galician) 2007
Microsoft Office Proof (German) 2007
Microsoft Office Proof (Greek) 2007
Microsoft Office Proof (Gujarati) 2007
Microsoft Office Proof (Hebrew) 2007
Microsoft Office Proof (Hindi) 2007
Microsoft Office Proof (Hungarian) 2007
Microsoft Office Proof (Italian) 2007
Microsoft Office Proof (Japanese) 2007
Microsoft Office Proof (Kannada) 2007
Microsoft Office Proof (Korean) 2007
Microsoft Office Proof (Latvian) 2007
Microsoft Office Proof (Lithuanian) 2007
Microsoft Office Proof (Marathi) 2007
Microsoft Office Proof (Norwegian (Bokmål)) 2007
Microsoft Office Proof (Norwegian (Nynorsk)) 2007
Microsoft Office Proof (Polish) 2007
Microsoft Office Proof (Portuguese (Brazil)) 2007
Microsoft Office Proof (Portuguese (Portugal)) 2007
Microsoft Office Proof (Punjabi) 2007
Microsoft Office Proof (Romanian) 2007
Microsoft Office Proof (Russian) 2007
Microsoft Office Proof (Serbian (Latin)) 2007
Microsoft Office Proof (Slovak) 2007
Microsoft Office Proof (Slovenian) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proof (Swedish) 2007
Microsoft Office Proof (Tamil) 2007
Microsoft Office Proof (Telugu) 2007
Microsoft Office Proof (Thai) 2007
Microsoft Office Proof (Turkish) 2007
Microsoft Office Proof (Ukrainian) 2007
Microsoft Office Proof (Urdu) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Kit 2007
Microsoft Office Proofing Tools Kit 2007
Microsoft Office ProofMUI (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! for Windows XP
Microsoft Save as PDF Add-in for 2007 Microsoft Office programs
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft® Winter Fun Pack 2004 for Windows® XP
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Moyea FLV Downloader version 1.15.0.15
Moyea FLV Player version 1.5.2.7
Moyea FLV to Video Converter Pro version 1.29.2.11
Mozilla Firefox (2.0.0.2)
MSXML 4.0 SP2 (KB936181)
MV2Player (remove only)
Nero 8
neroxml
Netcraft Toolbar
OmniPage Pro 12.0
PCTV
PDFCreator
PDFCreator Toolbar
Personal License Update Wizard for Windows Media Player
Philips PSC703 V1.89 Update Driver (ENG)
Philips PSC705 V1.89 Update Driver (ENG)
Pinnacle TRex
Plus! MP3 Audio Converter LE
PowerDVD
Rainlendar2 (remove only)
Rhapsody Player Engine
Sandboxie 3.26
save2pc Pro 3.25
ScanSoft RealSpeak
Security Update for 2007 Microsoft Office System (KB951596)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB951546)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Simple Sudoku 4.2
Skype™ 3.6
Smooth Program Scheduler 1.0
Software para Impressoras EPSON
Sonic Foundry ACID 2.0c
SONY USB CAMERA Installer
Speed DVD Creator 4.0.41
Speed Video Converter 3.1.1
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SpywareBlaster 4.1
Styler
SubtitleCreator
Switch
SyncToy
The_Lynx_Internet_Radio_Network Toolbar
Timershot Powertoy for Windows XP
Total Video Converter 3.11 070908
Tweak UI
Unlocker 1.8.7
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb956080)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
VCRedistSetup
VideoLAN VLC media player 0.8.6d
Virtual Desktop Manager Powertoy for Windows XP
Vista Transformation Pack 8.0
Vista/XP Virtual Desktops
Visual Task Tips 3.1
VisualSubSync (remove only)
WebSite-Watcher 4.40
Winamp (remove only)
Windows Desktop Search 3.01
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Bonus Pack for Windows XP
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Series TweakMP PowerToy
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Creativity Fun Packs - Windows XP Power Toys
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Windows XP Video Screensaver Powertoy
WinNc 2000
WinPcap 4.0
WinRAR archiver
WinZip 11.2

thanks

Shaba
2008-10-15, 19:53
Uninstall via add/remove programs:

eMusic - 50 Free MP3 offer
Java(TM) 6 Update 4
Java(TM) 6 Update 5

Open notepad and copy/paste the text in the codebox below into it:


DirLook::
C:\Program Files\Torrent-Search

Folder::
C:\Documents and Settings\All Users\Application Data\dilupkzg

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"bCqf6PD0V0"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{858adae0-63cc-11dd-99f3-00805a2069c9}]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

tarix
2008-10-15, 20:50
Hi Shaba, thanks again, the computer didn't rebot and here are the log files you asked:

ComboFix 08-10-14.07 - Casa 2008-10-15 18:31:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.270 [GMT 1:00]
Executando de: C:\Documents and Settings\Casa\Desktop\ComboFix.exe
Comandos utilizados :: C:\Documents and Settings\Casa\Desktop\CFScript.txt
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\dilupkzg

.
(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-15 to 2008-10-15 ))))))))))))))))))))))))))))
.

2008-10-15 15:56 . 2008-10-15 15:56 <DIR> d-------- C:\spoolerlogs
2008-10-14 02:54 . 2008-10-14 02:54 <DIR> d-------- C:\Documents and Settings\Mãe\Application Data\MetaProducts
2008-10-14 02:54 . 2008-10-14 02:54 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\MetaProducts
2008-10-14 02:22 . 2008-10-14 02:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-14 01:09 . 2008-10-14 02:14 4,438 --a------ C:\WINDOWS\system32\tmp.reg
2008-10-13 03:09 . 2008-10-13 23:56 181 --a------ C:\WINDOWS\wininit.ini
2008-10-13 02:15 . 2008-10-13 02:15 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-16 03:08 . 2008-09-16 03:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 17:25 --------- d-----w C:\Program Files\Java
2008-10-15 17:23 --------- d-----w C:\Program Files\Winamp
2008-10-15 15:16 7,886,336 ----a-w C:\WINDOWS\system32\logonuiX.exe
2008-10-15 14:53 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-14 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-10-14 01:54 --------- d-----w C:\Program Files\Download Express
2008-10-14 01:21 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-10-14 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-13 00:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-13 00:44 --------- d-----w C:\Program Files\SpywareBlaster
2008-10-10 07:58 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-10-10 07:58 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-10-01 14:51 87,552 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-09-30 02:37 --------- d-----w C:\Program Files\Rainlendar2
2008-09-11 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-09-08 22:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-07 19:55 --------- d-----w C:\Documents and Settings\Casa\Application Data\Vso
2008-09-07 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\vsosdk
2008-09-07 05:59 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-09-07 05:59 47,360 ----a-w C:\Documents and Settings\Casa\Application Data\pcouffin.sys
2008-09-07 05:59 --------- d-----w C:\Program Files\vso
2008-09-03 16:38 --------- d-----w C:\Program Files\Google
2008-08-31 22:02 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-08-31 21:47 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-18 11:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-04-14 05:27 81,920 ----a-w C:\Documents and Settings\Casa\Application Data\ezpinst.exe
2008-04-04 02:51 14,290 ----a-w C:\Program Files\settings.dat
2008-03-21 16:12 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

<pre>
----a-w 18,851,397 2008-03-23 16:38:13 C:\Documents and Settings\Casa\My Documents\Downloads\Internet Explorer 7.0.5730.11 (AIO)\Internet Explorer 7.0.5730.11 .exe
</pre>


(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Torrent-Search ----

C:\Program Files\Torrent-Search\


------- Sigcheck -------

2005-03-02 01:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2007-02-28 10:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2003-11-08 13:00 1947904 0e8efb15746878a9b256e75267337233 C:\WINDOWS\$NtServicePackUninstall$\ntkrnlpa.exe
2004-08-04 06:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 01:34 2067712 73c6d7f370eee2330162a8dd3302159c C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2004-08-04 06:59 2056832 947fb1d86d14afcffdb54bf837ec25d0 C:\WINDOWS\ServicePackFiles\i386\ntkrnlpa.exe
2008-04-13 19:31 2065792 109f8e3e3c82e337bb71b6bc9b895d61 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntkrnlpa.exe
2007-02-28 09:38 2068480 bf7d3b9a67fdabb7ada4df7c0286b382 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\VITrans\ntkrnlpa.exe

2005-03-02 02:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2007-02-28 10:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2003-11-08 13:00 2042240 b9080d97dbd631aadf9128f7316958d2 C:\WINDOWS\$NtServicePackUninstall$\ntoskrnl.exe
2004-08-04 07:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 01:59 2190208 ba9c5fd985ba9de863f482b892b0e4ad C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2004-08-04 07:20 2180992 ce218bc7088681faa06633e218596ca7 C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe
2008-04-13 20:27 2188928 0c89243c7c3ee199b96fcc16990e0679 C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ntoskrnl.exe
2007-02-28 10:10 2191232 cc208534f5463d154da324ae9eceac78 C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\VITrans\ntoskrnl.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-15_16.24.35.75 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-15 15:54:02 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_754.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cb90f295-4524-4bd4-adb4-8dc333d67d6a}]
2008-03-13 11:30 1524248 --a------ C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]
@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"
[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]
2008-02-28 13:04 97064 --a------ C:\Program Files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"ViOrb"="C:\Program Files\ViOrb\ViOrb.exe" [2008-05-22 167936]
"Copernic Desktop Search 2"="C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" [2008-02-13 1583624]
"LClock"="C:\Program Files\LClock\lclock.exe" [2004-09-20 65536]
"VisualTaskTips"="C:\Program Files\VisualTaskTips\VisualTaskTips.exe" [2008-02-19 61440]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 243072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
"PCTVRemote"="C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe" [2002-01-29 61440]
"Opware12"="C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe" [2003-05-20 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-09-26 35328]
"LogonStudio"="C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" [2002-09-04 987187]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-27 184408]
"BootSkin Startup Jobs"="C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" [2004-04-26 270336]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"IME JPN 2007 Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE" [2007-08-23 66936]
"Microsoft Pinyin IME Migration"="C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE" [2006-10-26 32560]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\Casa\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-04-04 575488]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 118784]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"vidc.i420"= i420vfw.dll
"msacm.ac3filter"= ac3filter.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DesktopIconToy]
--a------ 2008-04-26 17:19 450560 C:\Program Files\Desktop Icon Toy\DesktopIconToy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImApp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R0 u1pvdbs;SONY USB CAMERA Base Driver;C:\WINDOWS\system32\DRIVERS\u1pvdbs.sys [2001-11-27 6225]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-31 97928]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 17:51 13560]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-09-11 124832]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-31 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-31 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 76040]
R2 NeroRegInCDSrv;Nero Registry InCD Service;C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2008-02-28 53032]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
R3 SbieDrv;SbieDrv;C:\Program Files\Sandboxie\SbieDrv.sys [2008-04-27 93696]
R3 u1pvdsm;SONY USB CAMERA Video Capture Device;C:\WINDOWS\system32\DRIVERS\u1pvdsm.sys [2001-11-27 318419]
S3 tbHD;Philips PSC705 WDM Driver;C:\WINDOWS\system32\drivers\TBirdHD.sys [2002-06-04 336066]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 18:34:20
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Tempo para conclusão: 2008-10-15 18:38:49
ComboFix-quarantined-files.txt 2008-10-15 17:37:46
ComboFix2.txt 2008-10-15 15:26:00

Pré-execução: 3.047.534.592 bytes free
Pós execução: 3,033,747,456 bytes free

206 --- E O F --- 2008-09-11 05:37:15



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:17, on 15-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Winamp\winampa.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Casa\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netcabo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000013.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {651B27BB-07F3-46F6-91E2-73F48BDC7525} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {BAD3887C-C44F-436A-BE7E-184C47E66D09} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 13040 bytes

Shaba
2008-10-15, 20:53
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

tarix
2008-10-16, 00:33
hi shaba, sorry to bother you :sad:
I've two disks on my computer, one removable (40Gb) and one internal (80Gb)just for archive. Right now they are about 90% full (i'm planing to buy 2 other ones bigger to replace them) since I'm already runing out of space, I'm already runing the full computer scan for about 3 hours and it's not even in the midle yet (it's scaning the C disk yet)
are you sure you want both discs to be scanned?
if so i'll continue (maybe i'll have to restart tomorow since it'll be quite anoying to sleep earing the noise of the computer in the night) and post the log here tomorow night, is that allright for you? :)

tarix
2008-10-16, 00:35
forgot to say that the C disk is removable and contain the sistem and the programs that i work with. :)

Shaba
2008-10-16, 12:04
Yes, please if possible :)

tarix
2008-10-17, 02:30
Hi Shaba, sorry for de delayed on this reports but as you can see it took more than 7 hours to do the scan. :rolleyes:
Here it goes the report from kaspery (it look likes i'll have to do a scan with my avg antivirus ) and a fresh hijackThis log.
thanks for the help !!

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, October 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, October 16, 2008 08:52:28
Records in database: 1315286
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
M:\

Scan statistics:
Files scanned: 134131
Threat name: 44
Infected objects: 343
Suspicious objects: 0
Duration of the scan: 07:17:57


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Casa\Desktop\11\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Casa\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Adventureous_spirit_Buy_IncreaseSpermCount.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Chantal_89_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mayram56_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mgaby11_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{2D60A64E-E25D-4FB9-86AE-F16EB0D0A9FB}\Chantal_89_click-onlineRX.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{5C402DBB-BC46-4548-B3E5-5E947B4E3501}\Saeconsultores_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{71B68522-D715-4062-9184-B142BCA1CC1A}\Buy_Rx_Here.html Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected: Trojan.JS.Redirector.b 1
C:\Documents and Settings\Casa\My Documents\Downloads\Acronis Disk Director Server v10.0 Build 2169 [h33t] [Original]\diskdirectorserver100b2169en1.rar Infected: Trojan-Downloader.Win32.Delf.mmt 1
C:\Documents and Settings\Casa\My Documents\Downloads\Moyea.FLV.To.Video.Converter.Pro.v1.29.2.11.WinAll.Regged-PALACE\FLV2Video_Install.exe Infected: Trojan.Win32.Monder.gen 1
C:\Documents and Settings\Casa\My Documents\Downloads\Moyea.FLV.To.Video.Converter.Pro.v1.29.2.11.WinAll.Regged-PALACE\FLV2Video_Install.exe Infected: Trojan.Win32.Pakes.cgn 1
C:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip Infected: Trojan-Downloader.WMA.Wimad.d 1
D:\DISCO C E DESKTOP\Disco C.zip Infected: Trojan.JS.Redirector.b 28
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data.cab Infected: Trojan.JS.Redirector.b 3
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data1.cab Infected: Trojan.JS.Redirector.b 3
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data2.cab Infected: Trojan.JS.Redirector.b 3
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data3.cab Infected: Trojan.JS.Redirector.b 3
D:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip Infected: Trojan-Downloader.WMA.Wimad.d 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected: Trojan.JS.Redirector.b 1
D:\Incredimail\IM.zip Infected: Trojan.JS.Redirector.b 42
D:\Incredimail\IncrediMail Data2.cab Infected: Trojan.JS.Redirector.b 8
D:\Programas\Longhorn\RockXP4.zip Infected: not-a-virus:PSWTool.Win32.PWDump.2 2
D:\Programas\Longhorn\RockXP4.zip Infected: not-a-virus:PSWTool.Win32.RAS.a 1
D:\Programas\Programas\bsplayer\bsplayer141.832.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\desktop search tools\vmntoolbox.exe Infected: not-a-virus:AdWare.Win32.BHO.byo 1
D:\Programas\Programas\FTP Servers\aceftp3\aceftp3free.exe Infected: not-a-virus:AdWare.Win32.BHO.ajt 1
D:\Programas\Programas\games\PacMan\FishTales.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\PacMan\FishTales.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\PacMan\Magic_Pets.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\PacMan\Magic_Pets.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\PacMan\PacManic.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\PacMan\PacManic.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\PacMan\PacManic_Christmas.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\PacMan\PacManic_Christmas.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver\Amazon_Waterfall_Screensaver.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver\Amazon_Waterfall_Screensaver.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver\Aquarium_Screensaver.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver\Aquarium_Screensaver.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver\Christmas_Night_Screensaver.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver\Christmas_Night_Screensaver.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver\Sea_Castle_Screensaver.exe Infected: not-a-virus:AdTool.Win32.WhenU.a 1
D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver\Sea_Castle_Screensaver.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\ie 7\ie7\Add Ons\vmntoolbox.exe Infected: not-a-virus:AdWare.Win32.BHO.byo 1
D:\Programas\Programas\incredimail\PhotoJoy\PhotoJoy_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.o 1
D:\Programas\Programas\MSN\Msn Live Messenger 8\Setup.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as 1
D:\Programas\Programas\MSN\Msn Live Messenger 8\SmileyCentralPFSetup2.1.50.3-3.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
D:\Programas\Programas\Screensavers\sinstaller2(2).exe Infected: not-a-virus:AdWare.Win32.Comet.ac 1
D:\Programas\Programas\Stardock\themes\105063.exe Infected: not-a-virus:AdWare.Win32.EZula.z 1
D:\Programas\Programas\Stardock\themes\tcf1464.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
D:\Programas\Programas\Stardock\themes\tcf1464.exe Infected: not-a-virus:AdWare.Win32.Gator.3103 1
D:\Programas\Programas\Stardock\themes\tcf1464.exe Infected: not-a-virus:AdWare.Win32.EZula.z 1
D:\Programas\Programas\Stardock\themes\tcf1464.exe Infected: Trojan-Dropper.Win32.Agent.pd 1
D:\Programas\Programas\Varios\mailpv.zip Infected: not-a-virus:PSWTool.Win32.MailPassView.e 1
D:\Programas\Programas\Varios\MSN-Password-Recovery-setup.exe Infected: not-a-virus:PSWTool.Win32.MSNPassword.e 1
D:\Programas\Vista\Vista\5\Vista Transformation Pack 5.5.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\6\vtp6(1).zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\6\vtp6(1).zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\6\vtp6.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\6\vtp6.zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\6\vtp61.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\6\vtp61.zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\unziped\Vista Transformation Pack 3.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\unziped2\Vista Transformation Pack 3.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\unziped2\Vista Transformation Pack 4.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\Vista Transformation Pack\Vista Transformation Pack.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\Vista Transformation Pack\Vista_Transformation_Pack_4.0.rar Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\Vista Transformation Pack\vtp3.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\Vista Transformation Pack\vtp4.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\vitrans.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\vitrans2.0.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\vitrans_lite.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\vtp5_5.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.a 2
D:\Programas\Vista\Vista\vtp6(1)\Vista Transformation Pack 6.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\vtp6(1)\Vista Transformation Pack 6.0.exe Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\vtp6(1)\vtp6.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\vtp6(1)\vtp6.zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\vtp6(1).zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\vtp6(1).zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\vtp6.zip Infected: not-a-virus:RiskTool.Win32.CloseApp.e 2
D:\Programas\Vista\Vista\vtp6.zip Infected: Trojan-Spy.Win32.Agent.ehl 1
D:\Programas\Vista\Vista\vtp8\extras\FastAero\FastAero_0751f_eng0.121 Infected: Trojan-Downloader.Win32.Banload.tvg 1
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace Infected: Trojan.Win32.VB.ef 6
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace Infected: not-a-virus:AdWare.Win32.Aureate.a 5
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip Infected: Trojan.Win32.VB.ef 4
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip Infected: not-a-virus:AdWare.Win32.Aureate.a 5

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:16, on 17-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\ViOrb\ViOrb.exe
C:\Program Files\LClock\lclock.exe
C:\Program Files\VisualTaskTips\VisualTaskTips.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Documents and Settings\Casa\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netcabo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.1852\swg.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Copernic Desktop Search 2 - {968631B6-4729-440D-9BF4-251F5593EC9A} - C:\Program Files\Copernic Desktop Search 2\DesktopSearchBand203000013.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: The Lynx Internet Radio Network Toolbar - {cb90f295-4524-4bd4-adb4-8dc333d67d6a} - C:\Program Files\The_Lynx_Internet_Radio_Network\tbThe_.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O3 - Toolbar: &Netcraft Toolbar - {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - C:\Program Files\Netcraft Toolbar\nctb.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Opware12] "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
O4 - HKLM\..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ViOrb] C:\Program Files\ViOrb\ViOrb.exe
O4 - HKCU\..\Run: [Copernic Desktop Search 2] "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
O4 - HKCU\..\Run: [LClock] C:\Program Files\LClock\lclock.exe
O4 - HKCU\..\Run: [VisualTaskTips] C:\Program Files\VisualTaskTips\VisualTaskTips.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Styler.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\Program Files\IncrediMail\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: Add to Local Website Archive - C:\Documents and Settings\Casa\Application Data\aignes\Local Website Archive\config\iearc.htm
O8 - Extra context menu item: Add to WebSite-Watcher - C:\Documents and Settings\Casa\Application Data\aignes\WebSite-Watcher\config\settings\wswie.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra 'Tools' menuitem: Add to Local Website Archive - {298C0B4F-3330-4F82-A2B0-75CB87AC3E97} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {651B27BB-07F3-46F6-91E2-73F48BDC7525} - C:\Program Files\Local Website Archive\wsarc_add.exe (HKCU)
O9 - Extra button: Add to Local Website Archive - {BAD3887C-C44F-436A-BE7E-184C47E66D09} - C:\Program Files\Local Website Archive\wsarc.exe (HKCU)
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe

--
End of file - 12747 bytes

tarix
2008-10-17, 02:41
(it look likes i'll have to do a scan with my avg antivirus )
..............................................................................

But I'll wait do do so until you tell me to
Thanks Again :) !!!

Shaba
2008-10-17, 10:23
Please download the OTMoveIt3 by OldTimer (http://oldtimer.geekstogo.com/OTMoveIt3.exe).

Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm I
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Adventureous_spirit_Buy_IncreaseSpermCount.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Chantal_89_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mayram56_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mgaby11_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{2D60A64E-E25D-4FB9-86AE-F16EB0D0A9FB}\Chantal_89_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{5C402DBB-BC46-4548-B3E5-5E947B4E3501}\Saeconsultores_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{71B68522-D715-4062-9184-B142BCA1CC1A}\Buy_Rx_Here.html
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected:
C:\Documents and Settings\Casa\My Documents\Downloads\Acronis Disk Director Server v10.0 Build 2169 [h33t] [Original]\diskdirectorserver100b2169en1.rar I
C:\Documents and Settings\Casa\My Documents\Downloads\Moyea.FLV.To.Video.Converter.Pro.v1.29.2.11.WinAll.Regged-PALACE
C:\Documents and Settings\Casa\My Documents\Downloads
C:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip Infected: Trojan-Downloader.WMA.Wimad.d 1
D:\DISCO C E DESKTOP\Disco C.zip
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data1.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data2.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data3.cab
D:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm I
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM
D:\Incredimail\IM.zip
D:\Programas\Programas\bsplayer\bsplayer141.832.exe
D:\Programas\Programas\desktop search tools\vmntoolbox.exe
D:\Programas\Programas\FTP Servers\aceftp3\aceftp3free.exe
D:\Programas\Programas\games\PacMan
D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver
D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver
D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver
D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver
D:\Programas\Programas\ie 7\ie7\Add Ons\vmntoolbox.exe
D:\Programas\Programas\incredimail\PhotoJoy\PhotoJoy_Install.exe
D:\Programas\Programas\MSN\Msn Live Messenger 8\Setup.exe
D:\Programas\Programas\MSN\Msn Live Messenger 8\SmileyCentralPFSetup2.1.50.3-3.exe
D:\Programas\Programas\Screensavers\sinstaller2(2).exe
D:\Programas\Programas\Stardock\themes\105063.exe
D:\Programas\Programas\Stardock\themes\tcf1464.exe
D:\Programas\Programas\Varios\mailpv.zip Infected: not-a-virus:PSWTool.Win32.MailPassView.e 1
D:\Programas\Programas\Varios\MSN-Password-Recovery-setup.exe
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip


Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

tarix
2008-10-17, 16:08
Hi Shaba, Here's what you asked

Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm I> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Adventureous_spirit_Buy_IncreaseSpermCount.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected: > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected: > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected: > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click-onlineRX.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Chantal_89_click-onlineRX.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-BIGGERLOADS.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mayram56_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mgaby11_click-onlineRX.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-onlineRX.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm Infected: > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-onlineRX.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{2D60A64E-E25D-4FB9-86AE-F16EB0D0A9FB}\Chantal_89_click-onlineRX.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{5C402DBB-BC46-4548-B3E5-5E947B4E3501}\Saeconsultores_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{71B68522-D715-4062-9184-B142BCA1CC1A}\Buy_Rx_Here.html > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected:> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\My Documents\Downloads\Acronis Disk Director Server v10.0 Build 2169 [h33t] [Original]\diskdirectorserver100b2169en1.rar I> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\My Documents\Downloads\Moyea.FLV.To.Video.Converter.Pro.v1.29.2.11.WinAll.Regged-PALACE> in the current context!
Error: Unable to interpret <C:\Documents and Settings\Casa\My Documents\Downloads> in the current context!
Error: Unable to interpret <C:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip Infected: Trojan-Downloader.WMA.Wimad.d 1> in the current context!
Error: Unable to interpret <D:\DISCO C E DESKTOP\Disco C.zip > in the current context!
Error: Unable to interpret <D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data.cab > in the current context!
Error: Unable to interpret <D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data1.cab > in the current context!
Error: Unable to interpret <D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data2.cab > in the current context!
Error: Unable to interpret <D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data3.cab > in the current context!
Error: Unable to interpret <D:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected: > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected: > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm I> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected: > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected: > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected: > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm> in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM > in the current context!
Error: Unable to interpret <D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM> in the current context!
Error: Unable to interpret <D:\Incredimail\IM.zip > in the current context!
Error: Unable to interpret <D:\Programas\Programas\bsplayer\bsplayer141.832.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\desktop search tools\vmntoolbox.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\FTP Servers\aceftp3\aceftp3free.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\games\PacMan> in the current context!
Error: Unable to interpret <D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver> in the current context!
Error: Unable to interpret <D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver> in the current context!
Error: Unable to interpret <D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver> in the current context!
Error: Unable to interpret <D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver> in the current context!
Error: Unable to interpret <D:\Programas\Programas\ie 7\ie7\Add Ons\vmntoolbox.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\incredimail\PhotoJoy\PhotoJoy_Install.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\MSN\Msn Live Messenger 8\Setup.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\MSN\Msn Live Messenger 8\SmileyCentralPFSetup2.1.50.3-3.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\Screensavers\sinstaller2(2).exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\Stardock\themes\105063.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\Stardock\themes\tcf1464.exe > in the current context!
Error: Unable to interpret <D:\Programas\Programas\Varios\mailpv.zip Infected: not-a-virus:PSWTool.Win32.MailPassView.e 1> in the current context!
Error: Unable to interpret <D:\Programas\Programas\Varios\MSN-Password-Recovery-setup.exe > in the current context!
Error: Unable to interpret <D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace > in the current context!
Error: Unable to interpret <D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip> in the current context!

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10172008_140346

Shaba
2008-10-17, 19:04
My bad, there was something missing.

Please add files:: to its own line before first entry and try again, please.

tarix
2008-10-17, 23:57
Hi Shaba, sorry but did't understood the last request, :sad: can you explain better please? thanks :)

Shaba
2008-10-18, 12:06
Sure :)

Please do this:


Save it to your desktop.
Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



:files
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm I
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Adventureous_spirit_Buy_IncreaseSpermCount.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Chantal_89_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mayram56_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mgaby11_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm Infected:
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{2D60A64E-E25D-4FB9-86AE-F16EB0D0A9FB}\Chantal_89_click-onlineRX.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{5C402DBB-BC46-4548-B3E5-5E947B4E3501}\Saeconsultores_click-BIGGERLOADS.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{71B68522-D715-4062-9184-B142BCA1CC1A}\Buy_Rx_Here.html
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected:
C:\Documents and Settings\Casa\My Documents\Downloads\Acronis Disk Director Server v10.0 Build 2169 [h33t] [Original]\diskdirectorserver100b2169en1.rar I
C:\Documents and Settings\Casa\My Documents\Downloads\Moyea.FLV.To.Video.Converter.Pro.v1.29.2.11.WinAll.Regged-PALACE
C:\Documents and Settings\Casa\My Documents\Downloads
C:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip Infected: Trojan-Downloader.WMA.Wimad.d 1
D:\DISCO C E DESKTOP\Disco C.zip
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data1.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data2.cab
D:\DISCO C E DESKTOP\IncrediMail Transferred Data\IncrediMail Data3.cab
D:\Films\subtitles\the chronicles of narnia - the lion, the witch, and the wardrobe part 1e 2 .sub portuguese\the chronicles of narnia - the lion, the witch, and the wardrobe part 1.sub portuguese.zip
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm I
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected:
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM
D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM
D:\Incredimail\IM.zip
D:\Programas\Programas\bsplayer\bsplayer141.832.exe
D:\Programas\Programas\desktop search tools\vmntoolbox.exe
D:\Programas\Programas\FTP Servers\aceftp3\aceftp3free.exe
D:\Programas\Programas\games\PacMan
D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver
D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver
D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver
D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver
D:\Programas\Programas\ie 7\ie7\Add Ons\vmntoolbox.exe
D:\Programas\Programas\incredimail\PhotoJoy\PhotoJoy_Install.exe
D:\Programas\Programas\MSN\Msn Live Messenger 8\Setup.exe
D:\Programas\Programas\MSN\Msn Live Messenger 8\SmileyCentralPFSetup2.1.50.3-3.exe
D:\Programas\Programas\Screensavers\sinstaller2(2).exe
D:\Programas\Programas\Stardock\themes\105063.exe
D:\Programas\Programas\Stardock\themes\tcf1464.exe
D:\Programas\Programas\Varios\mailpv.zip Infected: not-a-virus:PSWTool.Win32.MailPassView.e 1
D:\Programas\Programas\Varios\MSN-Password-Recovery-setup.exe
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace
D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip


Return to OTMoveIt3, right click in the "Paste List of Files/Folders to Move" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

tarix
2008-10-18, 15:39
Hi Shaba, i have'd folowed yours instructions but the first time i runed on MovIt the computer stalled and coul'nt produce any log. I've runed it again and pruduce it this :

Files moved on Reboot...
D:\DISCO C E DESKTOP\Disco C.zip moved successfully.

meanwile i've gone to C:\_OTMoveIt\MovedFiles and noticed that it as only the last log i've sent to you yesterday and that that folder is about 12.8Gb Big, isn't that to much? It's about 1/3 of the capacity of C: (my c disk as only about 950Mb free space now and I wonder if that was the reason for it to stall and "freeze" the programs when runing them !?) Should I delete that folder and reapet the process again?
Thanks

Shaba
2008-10-18, 15:43
Yes you can do that.

But if otmoveit3 fails, you can delete those files manually (unless you need some of them).

tarix
2008-10-19, 05:27
Hi Shaba, I finally did it, after a few passes with OTMoveIt3 in wich the computer stalled evrey time exept for this last one :) here is the log from OTMoveIt3 that you request, those files missing from the log and that OTMoveIt3 coud'nt move i did it manually as you said. (exept for those i needed) :)
how does it look now?
Thanks

========== FILES ==========
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm I not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Adventureous_spirit_Buy_IncreaseSpermCount.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm Infected: not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm Infected: not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM Infected: not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Chantal_89_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-BIGGERLOADS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mayram56_click-BIGGERLOADS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mgaby11_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click-BIGGERLOADS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-BIGGERLOADS.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Sbrittonga_click-onlineRX.htm Infected: not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{2D60A64E-E25D-4FB9-86AE-F16EB0D0A9FB}\Chantal_89_click-onlineRX.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{5C402DBB-BC46-4548-B3E5-5E947B4E3501}\Saeconsultores_click-BIGGERLOADS.htm not found.
C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{65D1C754-A492-454A-99E1-48B877843A87}\Saeconsultores_click-PERMANENTENLARGER.htm moved successfully.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{71B68522-D715-4062-9184-B142BCA1CC1A}\Buy_Rx_Here.html not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{AC624000-90DF-48E1-AA27-2BA3CED1D596}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM not found.
File/Folder C:\Documents and Settings\Casa\Local Settings\Application Data\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM Infected: not found.
File/Folder C:\Documents and Settings\Casa\My Documents\Downloads\Acronis Disk Director Server v10.0 Build 2169 [h33t] [Original]\diskdirectorserver100b2169en1.rar I not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Abnardella_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Alidatulian_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Beck_Buy_PermanentEnlarger.HTML Infected: not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Boggs_Buy_HERBALVIAGRA.HTML Infected: not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buddy1237-Lose-10poundsIn10days.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_DIET_SENSATION.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_ExplodingOrgasm-BiggerLoads.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Buy_ExplodingOrgasms.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GREAT_MALENLARGER.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_GUARANTEEDENLARGER.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_HERBALVIAGRA.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LASTLONGER.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_LAST_LONGER.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_MultiOrgasms.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_PERMANENT_ENLARG.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_SPERMCOUNT.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\BUY_YOURSPERMCOUNT.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Carminaherrera_click_LAST-LONGER.htm I not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\click-WeightLossSensation.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Conejobustos_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Farris_Buy_PermanentEnlarger.HTML Infected: not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frankmadero_click-sdrfs.htm Infected: not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Frtrus.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Gcaldera31_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hamlin_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Hogue_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jesines-Lose-10poundsIn10days.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Jlaws27_click-EXPLODING-ORGASMS.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Kim_Buy_PermanentEnlarger.HTML Infected: not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Krmuska182_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lorettab4_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Lori_last_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mackey_Buy_HERBALVIAGRA.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Mmary84_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Moreno_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_3DayDeliveryRXmed.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\OpenThisHTML_FastDeliveryRXmed.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Osborne_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Paulomarques84_click-ONLINE_PHARM.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Perlunix_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pmc49_click_PERMANENTGrowth.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Pompier80_click-BIGGERLOADS.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Remacost_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Saeconsultores_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Shannon_Buy_PermanentEnlarger.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Stahl_Buy_HERBALVIAGRA.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Toan_alex_nguyen_10POUNDSIN10DAYSDIET.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Unforgiv3n_click-BiggerLoads.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Wellsburggirl_Buy_Last-Longer.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Yutsc_click_LASTLONGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\Zerosklero-Lose-10poundsIn10days.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{01C8D34D-DF5D-463E-8CD2-E911826231F2}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{075899CB-20B2-407F-904B-BF952A5230CC}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{0E7C65B6-CD51-4DC4-A2BC-6CDB5A7D09C6}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{354C5E39-0E90-477C-9217-82998227E73E}\BUY_SPERMCOUNT.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{36822013-9908-42E6-B647-752E27CB4752}\Lorettab4_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{8A3E94EC-ECAE-4D43-8E1D-40FEE42FAABA}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{927AE709-00FF-4BE0-A7F7-2D4FFBA9D24E}\Lori_last_click-PERMANENTENLARGER.htm not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{93E04E5C-84C0-468E-A5FC-05BE0728B3BC}\BUY_YOURSPERMCOUNT.HTML not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{95FB89A0-A70A-4725-A645-469075A9D098}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C018DE05-6F18-4C56-886F-F1693CC9AD28}\BUY_PERMANENTENLARG.HTM not found.
File/Folder D:\Incredimail\IM\IM\Identities\{BE1587C5-0527-4641-BFA4-3A646EDD576F}\Message Store\Attachments\{C4F9D6B9-045C-4316-9147-AF9B9C114589}\BUY_MultiOrgasms.HTM not found.
File/Folder D:\Programas\Programas\bsplayer\bsplayer141.832.exe not found.
File/Folder D:\Programas\Programas\desktop search tools\vmntoolbox.exe not found.
File/Folder D:\Programas\Programas\FTP Servers\aceftp3\aceftp3free.exe not found.
File/Folder D:\Programas\Programas\games\PacMan not found.
File/Folder D:\Programas\Programas\games\Screensaver\Amazon_Waterfall_Screensaver not found.
File/Folder D:\Programas\Programas\games\Screensaver\Aquarium_Screensaver not found.
File/Folder D:\Programas\Programas\games\Screensaver\Christmas_Night_Screensaver not found.
File/Folder D:\Programas\Programas\games\Screensaver\Sea_Castle_Screensaver not found.
File/Folder D:\Programas\Programas\ie 7\ie7\Add Ons\vmntoolbox.exe not found.
File/Folder D:\Programas\Programas\incredimail\PhotoJoy\PhotoJoy_Install.exe not found.
File/Folder D:\Programas\Programas\MSN\Msn Live Messenger 8\Setup.exe not found.
File/Folder D:\Programas\Programas\MSN\Msn Live Messenger 8\SmileyCentralPFSetup2.1.50.3-3.exe not found.
File/Folder D:\Programas\Programas\Screensavers\sinstaller2(2).exe not found.
File/Folder D:\Programas\Programas\Stardock\themes\105063.exe not found.
File/Folder D:\Programas\Programas\Stardock\themes\tcf1464.exe not found.
File/Folder D:\Programas\Programas\Varios\mailpv.zip Infected: not-a-virus:PSWTool.Win32.MailPassView.e 1 not found.
File/Folder D:\Programas\Programas\Varios\MSN-Password-Recovery-setup.exe not found.
File/Folder D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.ace not found.
File/Folder D:\Shared Folder\Completos\Programs\Microsoft\Windows\Descodificador Tvcabo Para Winxp Compativel Com Pinnacle.zip not found.

OTMoveIt3 by OldTimer - Version 1.0.5.0 log created on 10192008_030501

Shaba
2008-10-19, 12:14
It looks good :)

Still problems?

tarix
2008-10-19, 17:20
Hi Shaba,
as far as I can notice, and I've gained about 10Gb of free space on my C: disk, I now have two pop up windows when the computer starts, one from my TV board asking to select the COM (but it's already selectet and function proprely and another saying that windows disabled somethig by the name Direct CD, wich could make windows run with instability, also when windows starts ask me to chose betwen my operating sistem and windows management console but I guess it's normal since we haven't unistaled some programs we used to clean up this mess, but the rest seems alright now, can you help me with that to or do I have to open a new thread? :)
Thanks a lot for all the help you're giving to me. :)

Shaba
2008-10-19, 19:39
Disabling this should help for first error message:

O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe

"also when windows starts ask me to chose betwen my operating sistem and windows management console but I guess it's normal since we haven't unistaled some programs"

That is due to recovery console. I recommend that you keep. I can give instructions for uninstallation if you like to.

tarix
2008-10-19, 19:44
Hi Shaba,

Disabling this should help for first error message:

O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe

How do I disable that? I whent to the program itself and there's not an option to do it?

Thanks

Shaba
2008-10-19, 19:46
Open HijackThis, click do a system scan only and checkmark it.

Close all windows including browser and press fix checked.

tarix
2008-10-19, 19:49
Hi Shaba,
Thanks :bigthumb:
what about the: and another saying that windows disabled somethig by the name Direct CD, wich could make windows run with instability?

Shaba
2008-10-19, 19:53
All I see is Nero related entries.

You could try uninstalling/re-installing Nero.

tarix
2008-10-21, 03:08
Hi Shaba,
I did what you sujested and re-instaled nero, after this I made spybot check and he could't find any trace of the damn thing and finally a defragmentation on my disks (wich I could't for ages :) ) and the computer seems like new now, thanks a lot for your suport, you're the best!! :2thumb:
I have a question now on what to do now? are we finished for this? what about the programs we used/instaled, should i keep them or unistaled (for me they could rest there as they don't bother me at all, just in case :rolleyes: ) and should I reenable spybot teatimer again?

I would like to ask you this, but i don't know if I should open a new thread as this is a diferent problem, anyhow I'm sure you may give me some advice first if I shoul'd open a new thread and second where should I post it? or if you may help me with this withought open it or not.
As you know I have another disc C: (in a diferent swapable draw) wich as given me some problems as spybot detects somethig is trying to connect to the net and imeadtley and as teatimer is on it starts to block that thing filling my desktop with popups, i've runed spybot and it detects it but can't remove it so it asks to run on reboot (wich i did) but still hapens the same (i think S&D can't remove it) what should I do? I have tried an online scanner but it could't run also, I have some very important information on that disc and I really really can't want to loose it!! :sad:

Shaba
2008-10-21, 16:01
Then please post spybot report next :)

tarix
2008-10-22, 02:29
Hi Shaba,
Here it goes the latest (i think) S&D Report:
thanks

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

2008-07-07 blindman.exe (1.0.0.8)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-07 SDFiles.exe (1.6.0.4)
2008-07-07 SDMain.exe (1.0.0.6)
2008-07-07 SDShred.exe (1.0.2.3)
2008-07-07 SDUpdate.exe (1.6.0.8)
2008-07-07 SDWinSec.exe (1.0.0.12)
2008-07-07 SpybotSD.exe (1.6.0.30)
2008-09-16 TeaTimer.exe (1.6.3.25)
2007-07-09 unins000.exe (51.41.0.0)
2008-08-13 unins001.exe (51.49.0.0)
2008-07-07 Update.exe (1.6.0.7)
2008-07-07 advcheck.dll (1.6.1.12)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-09-15 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2008-07-07 Tools.dll (2.1.5.7)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2008-09-02 Includes\Adware.sbi
2008-10-14 Includes\AdwareC.sbi
2008-06-03 Includes\Cookies.sbi
2008-09-02 Includes\Dialer.sbi
2008-09-09 Includes\DialerC.sbi
2008-07-23 Includes\HeavyDuty.sbi
2008-09-02 Includes\Hijackers.sbi
2008-10-07 Includes\HijackersC.sbi
2008-09-09 Includes\Keyloggers.sbi
2008-10-14 Includes\KeyloggersC.sbi
2004-11-29 Includes\LSP.sbi
2008-10-08 Includes\Malware.sbi
2008-10-14 Includes\MalwareC.sbi
2008-09-02 Includes\PUPS.sbi
2008-10-14 Includes\PUPSC.sbi
2007-11-07 Includes\Revision.sbi
2008-06-18 Includes\Security.sbi
2008-09-30 Includes\SecurityC.sbi
2008-06-03 Includes\Spybots.sbi
2008-06-03 Includes\SpybotsC.sbi
2008-09-09 Includes\Spyware.sbi
2008-10-14 Includes\SpywareC.sbi
2008-06-03 Includes\Tracks.uti
2008-10-15 Includes\Trojans.sbi
2008-10-14 Includes\TrojansC.sbi
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


--- System information ---
Windows XP (Build: 2600) Service Pack 2 (5.1.2600)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player 10: Security Update for Windows Media Player 10 (KB936782)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB917734)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP: Security Update for Windows XP (KB941569)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB942615)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB944533)
/ Windows XP / SP0: Hotfix for Windows Internet Explorer 7 (KB947864)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB950759)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB953838)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915800)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917159)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB918899)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Security Update for Windows XP (KB921883)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Security Update for Windows XP (KB925486)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB929969)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Update for Windows XP (KB931836)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB932823-v3)
/ Windows XP / SP3: Security Update for Windows XP (KB933566)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Update for Windows XP (KB936357)
/ Windows XP / SP3: Security Update for Windows XP (KB937894)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB941568)
/ Windows XP / SP3: Security Update for Windows XP (KB941644)
/ Windows XP / SP3: Security Update for Windows XP (KB941693)
/ Windows XP / SP3: Security Update for Windows XP (KB942615)
/ Windows XP / SP3: Update for Windows XP (KB942763)
/ Windows XP / SP3: Update for Windows XP (KB942840)
/ Windows XP / SP3: Security Update for Windows XP (KB943055)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ Windows XP / SP3: Security Update for Windows XP (KB943485)
/ Windows XP / SP3: Security Update for Windows XP (KB944653)
/ Windows XP / SP3: Security Update for Windows XP (KB945553)
/ Windows XP / SP3: Security Update for Windows XP (KB946026)
/ Windows XP / SP3: Update for Windows XP (KB946627)
/ Windows XP / SP3: Security Update for Windows XP (KB948590)
/ Windows XP / SP3: Security Update for Windows XP (KB948881)
/ Windows XP / SP3: Security Update for Windows XP (KB950749)
/ Windows XP / SP4: Security Update for Windows XP (KB938464)
/ Windows XP / SP4: Security Update for Windows XP (KB946648)
/ Windows XP / SP4: Security Update for Windows XP (KB950760)
/ Windows XP / SP4: Security Update for Windows XP (KB950762)
/ Windows XP / SP4: Security Update for Windows XP (KB950974)
/ Windows XP / SP4: Security Update for Windows XP (KB951066)
/ Windows XP / SP4: Update for Windows XP (KB951072-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951376)
/ Windows XP / SP4: Security Update for Windows XP (KB951376-v2)
/ Windows XP / SP4: Security Update for Windows XP (KB951698)
/ Windows XP / SP4: Security Update for Windows XP (KB951748)
/ Windows XP / SP4: Hotfix for Windows XP (KB952287)
/ Windows XP / SP4: Security Update for Windows XP (KB952954)
/ Windows XP / SP4: Security Update for Windows XP (KB953839)


--- Startup entries list ---
Located: HK_LM:Run, AVG8_TRAY
command: C:\PROGRA~1\AVG\AVG8\avgtray.exe
file: C:\PROGRA~1\AVG\AVG8\avgtray.exe
size: 1234712
MD5: 84A91D110D27B11713C349523F4EA47F

Located: HK_LM:Run, BluetoothAuthenticationAgent
command: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
file: C:\WINDOWS\system32\bthprops.cpl
size: 110592
MD5: 265F5C94FA9F2DD868517E9DEEA21844

Located: HK_LM:Run, BootSkin Startup Jobs
command: "C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe" /StartupJobs
file: C:\Program Files\Stardock\WinCustomize\BootSkin\BootSkin.exe
size: 270336
MD5: 998492D3C53EEF257308C016AC9DD825

Located: HK_LM:Run, DiskeeperSystray
command: "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
file: C:\Program Files\Executive Software\Diskeeper\DkIcon.exe
size: 184408
MD5: 1CC38090C948BA34AC7D0CC17AF3F4B4

Located: HK_LM:Run, GrooveMonitor
command: "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
file: C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C

Located: HK_LM:Run, IME JPN 2007 Migration
command: C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload
file: C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE
size: 66936
MD5: E163E2B3A8E91B3A716828E06181C904

Located: HK_LM:Run, LogonStudio
command: "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
file: C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe
size: 987187
MD5: E7937FC9392A6040336833D5282259FE

Located: HK_LM:Run, Microsoft Pinyin IME Migration
command: C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL
file: C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE
size: 32560
MD5: 0CB52FBC5099ADFA75178EE08F1CD660

Located: HK_LM:Run, Opware12
command: "C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe"
file: C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
size: 49152
MD5: 2837F5DBBB9B8DB2D4EB02856EAE6E23

Located: HK_LM:Run, SunJavaUpdateSched
command: "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
file: C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97

Located: HK_LM:Run, UnlockerAssistant
command: "C:\Program Files\Unlocker\UnlockerAssistant.exe"
file: C:\Program Files\Unlocker\UnlockerAssistant.exe
size: 15872
MD5: 403E928BA217E38485009636C793F3C9

Located: HK_LM:Run, UserFaultCheck
command: %systemroot%\system32\dumprep 0 -u
file: C:\WINDOWS\system32\dumprep 0 -u
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_LM:Run, WinampAgent
command: C:\Program Files\Winamp\winampa.exe
file: C:\Program Files\Winamp\winampa.exe
size: 35328
MD5: 62BD7FC7AD975C163C2D5B5860C61997

Located: HK_CU:Run, ctfmon.exe
where: PE_C_ADMINISTRATOR...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, LightScribe Control Panel
where: PE_C_ADMINISTRATOR...
command: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
file: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
size: 2295072
MD5: E1CFE972E41F7678A0ED7A226C93C250

Located: HK_CU:RunOnce, NeroHomeFirstStart
where: PE_C_ADMINISTRATOR...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 19752
MD5: ABDB4E0027FD39E254854AD710A0CCB6

Located: HK_CU:RunOnce, NeroHomeFirstStart
where: PE_C_ALL USERS...
command: "C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe"
file: C:\Program Files\Common Files\Nero\Lib\NMFirstStart.exe
size: 19752
MD5: ABDB4E0027FD39E254854AD710A0CCB6

Located: HK_CU:Run, ctfmon.exe
where: PE_C_GUEST...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, LightScribe Control Panel
where: PE_C_GUEST...
command: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
file: C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
size: 2295072
MD5: E1CFE972E41F7678A0ED7A226C93C250

Located: HK_CU:Run, msnmsgr
where: PE_C_GUEST...
command: "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
file: C:\Program Files\MSN Messenger\msnmsgr.exe
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: HK_CU:Run, ctfmon.exe
where: PE_C_MãE...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, IncrediMail
where: PE_C_MãE...
command: C:\Program Files\IncrediMail\bin\IncMail.exe /c
file: C:\Program Files\IncrediMail\bin\IncMail.exe
size: 243072
MD5: 7AD7DAAA39AD39931E5947543084DDF3

Located: HK_CU:Run, SpybotSD TeaTimer
where: PE_C_MãE...
command: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1833296
MD5: 63B3FF83B87AFCEBA89CED54695DA0F6

Located: HK_CU:Run, Copernic Desktop Search 2
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: "C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe" /tray
file: C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
size: 1583624
MD5: 5D39FA0C7AF3313703A94DFA60A93C9A

Located: HK_CU:Run, ctfmon.exe
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8

Located: HK_CU:Run, IncrediMail
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\Program Files\IncrediMail\bin\IncMail.exe /c
file: C:\Program Files\IncrediMail\bin\IncMail.exe
size: 243072
MD5: 7AD7DAAA39AD39931E5947543084DDF3

Located: HK_CU:Run, LClock
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\Program Files\LClock\lclock.exe
file: C:\Program Files\LClock\lclock.exe
size: 65536
MD5: 38CC541D105DCBA3D3768D6B191D9505

Located: HK_CU:Run, Rainlendar2
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\Program Files\Rainlendar2\Rainlendar2.exe
file: C:\Program Files\Rainlendar2\Rainlendar2.exe
size: 4067328
MD5: D0F6C8CA69CA3B1315C9BC9B5746ABE7

Located: HK_CU:Run, ViOrb
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\Program Files\ViOrb\ViOrb.exe
file: C:\Program Files\ViOrb\ViOrb.exe
size: 167936
MD5: EF13475DEBC95FB0A3D875BB13CB3330

Located: HK_CU:Run, VisualTaskTips
where: S-1-5-21-1715567821-1060284298-854245398-1003...
command: C:\Program Files\VisualTaskTips\VisualTaskTips.exe
file: C:\Program Files\VisualTaskTips\VisualTaskTips.exe
size: 61440
MD5: 8B784694CA9994E3102D2D1DE0D6E3F5

Located: Startup (common), Windows Desktop Search.lnk
where: C:\Documents and Settings\All Users\Start Menu\Programs\Startup...
command: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
file: C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 118784
MD5: 946467B375D696FA073A6B9370A4C6CE

Located: Startup (user), MagicDisc.lnk
where: C:\Documents and Settings\Casa\Start Menu\Programs\Startup...
command: C:\Program Files\MagicDisc\MagicDisc.exe
file: C:\Program Files\MagicDisc\MagicDisc.exe
size: 575488
MD5: BDD713D351F065E20F12865B8CFD956D

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Documents and Settings\Casa\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 101440
MD5: 9D0EEBDA40D5C33BC63FB8BB984F7681

Located: Startup (user), Styler.lnk
where: C:\Documents and Settings\Casa\Start Menu\Programs\Startup...
command:
file:
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: Startup (user), OneNote 2007 Screen Clipper and Launcher.lnk
where: C:\Documents and Settings\Guest\Start Menu\Programs\Startup...
command: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
file: C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
size: 101440
MD5: 9D0EEBDA40D5C33BC63FB8BB984F7681

Located: WinLogon, crypt32chain
command: crypt32.dll
file: crypt32.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cryptnet
command: cryptnet.dll
file: cryptnet.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, cscdll
command: cscdll.dll
file: cscdll.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, ScCertProp
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, Schedule
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, SensLogn
command: WlNotify.dll
file: WlNotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, termsrv
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!

Located: WinLogon, wlballoon
command: wlnotify.dll
file: wlnotify.dll
size: 0
MD5: D41D8CD98F00B204E9800998ECF8427E
Warning: if the file is actually larger than 0 bytes,
the checksum could not be properly calculated!



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll

{22BF413B-C6D2-4d91-82A9-A0F997BA588C} (Skype add-on (mastermind))
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: Skype add-on (mastermind)
CLSID name: Skype add-on (mastermind)
Path: C:\Program Files\Skype\Toolbars\Internet Explorer\
Long name: SkypeIEPlugin.dll
Short name: SKYPEI~1.DLL
Date (created): 01-02-2008 18:22:12
Date (last access): 16-05-2008 5:11:26
Date (last write): 01-02-2008 18:22:12
Filesize: 1377576
Attributes: archive
MD5: 23CD1A674E74AA4C1DAE8431E101580B
CRC32: 10D55EA0
Version: 2.2.0.147

{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} (WormRadar.com IESiteBlocker.NavFilter)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name: WormRadar.com IESiteBlocker.NavFilter
CLSID name: AVG Safe Search
Path: C:\Program Files\AVG\AVG8\
Long name: avgssie.dll
Short name:
Date (created): 02-07-2008 15:41:32
Date (last access): 31-08-2008 22:48:28
Date (last write): 31-08-2008 22:48:28
Filesize: 455960
Attributes: archive
MD5: 19A9C541D4EE8E3471B26986D785AB4D
CRC32: 93FD7D83
Version: 8.0.0.152

{72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Groove GFS Browser Helper
Path: C:\Program Files\Microsoft Office\Office12\
Long name: GrooveShellExtensions.dll
Short name:
Date (created): 24-08-2007 7:01:22
Date (last access): 01-09-2008 3:45:12
Date (last write): 24-08-2007 7:01:22
Filesize: 2212224
Attributes: archive
MD5: 32C4927E013C018A13D8DFBDA4148812
CRC32: 9A9F3D8B
Version: 12.0.6211.1000

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: ssv.dll
Short name:
Date (created): 31-08-2008 22:53:16
Date (last access): 10-06-2072 2:32:34
Date (last write): 10-06-2008 4:27:02
Filesize: 509328
Attributes: archive
MD5: F921D875A1CBD69A6A462BA2514BC831
CRC32: 38AC9EE2
Version: 6.0.70.6

{7E853D72-626A-48EC-A868-BA8D5E23E045} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{A057A204-BACC-4D26-9990-79A187E2698E} ()
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name:

{ADECBED6-0366-4377-A739-E69DFBA04663} (Catcher Class)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Catcher Class
Path: C:\Program Files\Moyea\FLV Downloader\
Long name: MoyeaCth.dll
Short name:
Date (created): 15-03-2008 7:14:38
Date (last access): 22-05-2008 17:52:24
Date (last write): 05-12-2007 10:25:24
Filesize: 94208
Attributes: archive
MD5: 06D8D2F98C70B190F8F14125FD82EBAF
CRC32: 924C9D97
Version: 1.0.0.2

{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: Google Toolbar Notifier BHO
Path: C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\
Long name: swg.dll
Short name:
Date (created): 19-10-2008 2:24:06
Date (last access): 19-10-2008 2:24:06
Date (last write): 19-10-2008 2:24:06
Filesize: 652784
Attributes: archive
MD5: 7D566FF02484EA2BCDEF6E8D7E9D9D13
CRC32: 922F62CE
Version: 4.1.805.4472

{C451C08A-EC37-45DF-AAAD-18B51AB5E837} (PDFCreator Toolbar Helper)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: PDFCreator Toolbar Helper
Path: C:\Program Files\PDFCreator Toolbar\v3.3.0.1\
Long name: PDFCreator_Toolbar.dll
Short name: PDFCRE~1.DLL
Date (created): 18-12-2007 4:24:58
Date (last access): 16-05-2008 5:11:28
Date (last write): 04-04-2008 3:51:12
Filesize: 806912
Attributes: archive
MD5: D52377F86DB8582396709803054E94BB
CRC32: 58F0C6FD
Version: 3.3.0.1

{cb90f295-4524-4bd4-adb4-8dc333d67d6a} (The Lynx Internet Radio Network Toolbar)
location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
BHO name:
CLSID name: The Lynx Internet Radio Network Toolbar
Path: C:\Program Files\The_Lynx_Internet_Radio_Network\
Long name: tbThe_.dll
Short name:
Date (created): 24-03-2008 3:24:04
Date (last access): 26-05-2008 4:32:02
Date (last write): 13-03-2008 11:30:28
Filesize: 1524248
Attributes: archive
MD5: 103C2F9FE6B9D22E900CCA445A042C1C
CRC32: 47EADD92
Version: 4.5.184.0



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\dajava.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
Installer:
Codebase: file://C:\WINDOWS\Java\classes\xmldso.cab
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\setup.inf
Codebase: http://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Adobe\Director\
Long name: SwDir.dll
Short name:
Date (created): 09-08-2008 16:41:48
Date (last access): 09-08-2008 16:41:48
Date (last write): 06-08-2008 16:30:48
Filesize: 202168
Attributes: archive
MD5: B8153BAD2E56C50B147867FA9DAEB095
CRC32: D52113FA
Version: 11.0.0.465

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\WMV9VCM.inf
Codebase: http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
description:
classification: Legitimate
known filename:
info link:
info source: Safer Networking Ltd.

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name:
Date (created): 10-06-2008 2:32:34
Date (last access): 10-06-2072 2:32:34
Date (last write): 10-06-2008 4:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} ()
DPF name:
CLSID name:
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
description:
classification: Open for discussion
known filename:
info link:
info source: Safer Networking Ltd.

{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:

{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} ()
DPF name:
CLSID name:
Installer:
Codebase:

{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name:
Date (created): 10-06-2008 2:32:34
Date (last access): 10-06-2072 2:32:34
Date (last write): 10-06-2008 4:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.6.0)
DPF name: Java Runtime Environment 1.6.0
CLSID name: Java Plug-in 1.6.0_07
Installer:
Codebase: http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.6.0_07\bin\
Long name: npjpi160_07.dll
Short name:
Date (created): 10-06-2008 2:32:34
Date (last access): 10-06-2072 2:32:34
Date (last write): 10-06-2008 4:27:02
Filesize: 132496
Attributes: archive
MD5: 7C83A2809E13950359189767AC9D5DB8
CRC32: 925C2A88
Version: 6.0.70.6

{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class)
DPF name:
CLSID name: get_atlcom Class
Installer: C:\WINDOWS\Downloaded Program Files\gp.inf
Codebase: http://www.adobe.com/products/acrobat/nos/gp.cab
Path: C:\WINDOWS\Downloaded Program Files\
Long name: gp.ocx
Short name:
Date (created): 16-05-2007 16:22:06
Date (last access): 16-05-2008 5:11:38
Date (last write): 16-05-2007 16:22:06
Filesize: 166512
Attributes: archive
MD5: 9BCFC46ECA1BF28E039ECCE2D331086E
CRC32: A9C6ED85
Version: 1.2.2.50



--- Process list ---
PID: 0 ( 0) [System]
PID: 516 ( 4) \SystemRoot\System32\smss.exe
size: 50688
PID: 596 ( 516) \??\C:\WINDOWS\system32\csrss.exe
size: 6144
PID: 620 ( 516) \??\C:\WINDOWS\system32\winlogon.exe
size: 502272
PID: 728 ( 620) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 740 ( 620) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 940 ( 728) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 984 ( 728) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1100 ( 728) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1184 ( 728) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1284 ( 728) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1424 ( 728) C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
size: 611664
MD5: 17067069B9A7865028C1F2E6971D0CCC
PID: 1588 ( 728) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1748 (1728) C:\WINDOWS\Explorer.EXE
size: 1033216
MD5: 97BD6515465659FF8F3B7BE375B2EA87
PID: 1972 ( 728) C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
size: 124832
MD5: E8FE4FCE23D2809BD88BCC1D0F8408CE
PID: 2000 ( 728) C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
size: 231704
MD5: 9B40D378D4E521464212E878BE8216A4
PID: 2016 ( 728) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2040 ( 728) C:\Program Files\Executive Software\Diskeeper\DkService.exe
size: 606316
MD5: 15A2F2D06B1F8D2AD2BE055C40CB1B74
PID: 552 ( 728) C:\Program Files\FolderSize\FolderSizeSvc.exe
size: 131072
MD5: 7C2B319EF1F62837AAD0CDD76F0B84C6
PID: 1764 ( 728) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
size: 168432
MD5: 34B56A3C195AEE6AE11001D277ACC83E
PID: 2036 (1748) C:\WINDOWS\system32\rundll32.exe
size: 33280
MD5: DA285490BBD8A1D0CE6623577D5BA1FF
PID: 220 ( 728) C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe
size: 1440552
MD5: B983D62CA4AC7C1B68089AE05FDE6888
PID: 228 (1748) C:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe
size: 49152
MD5: 2837F5DBBB9B8DB2D4EB02856EAE6E23
PID: 288 (1748) C:\Program Files\Winamp\winampa.exe
size: 35328
MD5: 62BD7FC7AD975C163C2D5B5860C61997
PID: 328 ( 728) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
size: 79136
MD5: 9039717A906DA0AE38420918801D9AB3
PID: 588 ( 728) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
size: 335872
MD5: 7CF1B716372B89568AE4C0FE769F5869
PID: 648 (1748) C:\Program Files\Unlocker\UnlockerAssistant.exe
size: 15872
MD5: 403E928BA217E38485009636C793F3C9
PID: 868 (1748) C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
size: 33648
MD5: 35DCD380D4D579D8B8EA91D5D8AE444C
PID: 1120 (1748) C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
size: 144784
MD5: 6AB4C021FBD36DC6764924C312428D97
PID: 1156 ( 728) C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
size: 877864
MD5: 40D7D0A208EE863BCA8D89E299216F15
PID: 1176 (1748) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1232 (1748) C:\Program Files\Rainlendar2\Rainlendar2.exe
size: 4067328
MD5: D0F6C8CA69CA3B1315C9BC9B5746ABE7
PID: 1348 (1748) C:\Program Files\ViOrb\ViOrb.exe
size: 167936
MD5: EF13475DEBC95FB0A3D875BB13CB3330
PID: 1420 (1748) C:\Program Files\Copernic Desktop Search 2\DesktopSearchService.exe
size: 1583624
MD5: 5D39FA0C7AF3313703A94DFA60A93C9A
PID: 1524 (1748) C:\Program Files\LClock\lclock.exe
size: 65536
MD5: 38CC541D105DCBA3D3768D6B191D9505
PID: 1520 (2000) C:\Program Files\AVG\AVG8\avgrsx.exe
size: 287000
MD5: BA1CE056CE1466CA28CE118585EA86C4
PID: 1656 (1748) C:\Program Files\VisualTaskTips\VisualTaskTips.exe
size: 61440
MD5: 8B784694CA9994E3102D2D1DE0D6E3F5
PID: 1208 ( 728) C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe
size: 53032
MD5: 3929C15875CC58FAA1048B231FB3E041
PID: 2164 ( 728) C:\WINDOWS\system32\IoctlSvc.exe
size: 81920
MD5: 875E4E0661F3A5994DF9E5E3A0A4F96B
PID: 2336 (1748) C:\Program Files\Windows Desktop Search\WindowsSearch.exe
size: 118784
MD5: 946467B375D696FA073A6B9370A4C6CE
PID: 2344 ( 728) C:\Program Files\CyberLink\Shared Files\RichVideo.exe
size: 173616
MD5: 1D4061CC5BC8E823D05E1E6E6C1224E3
PID: 2364 ( 728) C:\Program Files\Sandboxie\SbieSvc.exe
size: 47104
MD5: D49EAD9AD39A2F443CB2AE86A850F7E9
PID: 2444 ( 728) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2564 ( 728) C:\PROGRA~1\AVG\AVG8\avgemc.exe
size: 875288
MD5: EC5B6AFF1A0BD1480B3B40CE78FAA527
PID: 2836 ( 728) C:\WINDOWS\system32\SearchIndexer.exe
size: 300032
MD5: 2EC497AA4B728D1B1A368ACF2E309E8B
PID: 3172 ( 940) C:\Program Files\IncrediMail\bin\IMApp.exe
size: 189824
MD5: B019A29934FFE34F44D5D43E76676DA4
PID: 1092 ( 728) C:\WINDOWS\System32\alg.exe
size: 44544
MD5: F1958FBF86D5C004CF19A5951A9514B7
PID: 2172 ( 728) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 2292 (2836) C:\WINDOWS\system32\SearchProtocolHost.exe
size: 182784
MD5: 4B0EA20D942AF11584D2D72A8419E3CB
PID: 2380 (2836) C:\WINDOWS\system32\SearchFilterHost.exe
size: 76800
MD5: 0B57A82B223AA3CFDD264D9DB8491D43
PID: 3136 (1748) C:\Program Files\Windows Live\Messenger\msnmsgr.exe
size: 5724184
MD5: A7BBF67C8A8B061C6393D9A57840268B
PID: 1496 ( 696) C:\Program Files\AVG\AVG8\avgtray.exe
size: 1234712
MD5: 84A91D110D27B11713C349523F4EA47F
PID: 3384 ( 728) C:\Program Files\Windows Live\Messenger\usnsvc.exe
size: 98328
MD5: 9D19B042A4FD5C02195071EA2FE0C821
PID: 3916 (3172) C:\Program Files\IncrediMail\bin\IncMail.exe
size: 243072
MD5: 7AD7DAAA39AD39931E5947543084DDF3
PID: 388 (3916) C:\Program Files\Internet Explorer\IEXPLORE.EXE
size: 625664
MD5: 64E376A47763DAEABCDA14BD5B6EA286
PID: 3480 (1748) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4891472
MD5: 3B1B5D09D3C9C4CD39D4DB06ED7A0855
PID: 4 ( 0) System


--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 22-10-2008 0:24:56

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.netcabo.pt/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl\@
http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
C:\windows\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD RfComm [Bluetooth]
GUID: {9FC48064-7298-43E4-B7BD-181F2089792A}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD RfComm [Bluetooth]

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACC19DD2-9C10-46C8-AAC6-1BF020F6396A}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{ACC19DD2-9C10-46C8-AAC6-1BF020F6396A}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF83770A-3C60-482B-9C12-20A14722061C}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DF83770A-3C60-482B-9C12-20A14722061C}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA981308-7F1B-40F1-B789-A3ABB72CAED9}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{AA981308-7F1B-40F1-B789-A3ABB72CAED9}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A74A40F7-901C-4DEB-AF44-AE2454615D81}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A74A40F7-901C-4DEB-AF44-AE2454615D81}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{34070131-F032-4735-940F-278944C222A8}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{34070131-F032-4735-940F-278944C222A8}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

Namespace Provider 3: Bluetooth Namespace
GUID: {06AA63E0-7D60-41FF-AFB2-3EE6D2D9392D}
Filename: %SystemRoot%\system32\wshbth.dll
Description: Bluetooth
DB filename: %SystemRoot%\system32\wshbth.dll
DB protocol: Bluetooth-Namespace

Shaba
2008-10-22, 11:47
So does spybot still recognize something in C: ?

tarix
2008-10-22, 15:06
Hi Shaba,
Spybot diddn't recognize any threats on C: exept for the usualy round up cleaning up the sistem (logs, caches, etc) :)
do you want a new fresh HJT log?

Shaba
2008-10-22, 15:57
No need unless you have some issues left?

tarix
2008-10-22, 16:09
Hi Shaba, thanks for your time and support, for the moment i don't have other issues exept for this:


Hi Shaba,
I have a question now on what to do now? are we finished for this? what about the programs we used/instaled, should i keep them or unistaled (for me they could rest there as they don't bother me at all, just in case :rolleyes: ) and should I reenable spybot teatimer again?

I would like to ask you this, but i don't know if I should open a new thread as this is a diferent problem, anyhow I'm sure you may give me some advice first if I shoul'd open a new thread and second where should I post it? or if you may help me with this withought open it or not.
As you know I have another disc C: (in a diferent swapable draw) wich as given me some problems as spybot detects somethig is trying to connect to the net and imeadtley and as teatimer is on it starts to block that thing filling my desktop with popups, i've runed spybot and it detects it but can't remove it so it asks to run on reboot (wich i did) but still hapens the same (i think S&D can't remove it) what should I do? I have tried an online scanner but it could't run also, I have some very important information on that disc and I really really can't want to loose it!! :sad:

Anyhow thanks again for your time and support :2thumb: :)

Shaba
2008-10-22, 17:02
We will remove used tools during final instructions :)

Is that another disc C: problem still there?

tarix
2008-10-22, 17:25
Hi Shaba, the other c: disc still have the problems unfurtunatly if that was what you asked, this one whoever is good (as far as I can see it)

Thanks :)

Shaba
2008-10-22, 17:43
Is it in this same computer?

tarix
2008-10-22, 18:09
Hi Shaba,
yes

" ..I have another disc C: (in a diferent swapable draw)"

Shaba
2008-10-22, 18:10
I see.

Can you post a HijackThis log from that drive next?

tarix
2008-10-22, 19:11
I Shaba,
I'm sure I'm being quite anoying, thanks for all your help, time and patience, I'm going to try :)
I'll have to change the disc C: and reboot in safe mode, then I'll change again and post it wright away, thanks :) :)

tarix
2008-10-22, 21:11
Hi Shaba,
here are the HJT reports that you requested, on the first one I enter as an administrator on the second one I enter as a user(myself)/administrator, I don't know if there's any diference but since i did'nt knew I'm posting both, thanks in advance :)

1st one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:07:52, on 22-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB1038] command /c del "C:\WINDOWS\system32\nnnkk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD766] cmd /c del "C:\WINDOWS\system32\nnnkk.dll_old"
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4629 bytes

tarix
2008-10-22, 21:13
this is de 2and one:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:50:24, on 22-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paulo\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 5710 bytes


Many Thanks again :)

Shaba
2008-10-22, 21:23
Yes there are infections.

Create own folder for HijackThis and move it to that folder.

Rename HijackThis.exe to tarix.exe and post back a fresh HijackThis log, please.

tarix
2008-10-22, 21:32
Hi Shaba,
Thanks for the quikly answer, one question although: should I do it "administrator" or as (my name/administrator) because we both are administrators :)

Shaba
2008-10-22, 21:41
That doesn't matter as both are admin accounts :)

tarix
2008-10-22, 21:43
I Shaba, ok :) thanks

tarix
2008-10-22, 22:24
Hi shaba,
here is the new HTJ log you requested (made a folder on desktop with the name you ask and runed HTJ from there after renamed it):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:01, on 22-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paulo\Desktop\Tarix\tarix.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\ljjggfe.dll
O2 - BHO: (no name) - {159A38AE-10F0-4353-AE86-A5BD8382A76C} - C:\WINDOWS\system32\nnnkk.dll (file missing)
O2 - BHO: (no name) - {2F671C50-B64D-4A83-816D-3CED58DFEB17} - C:\WINDOWS\system32\gebbc.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {4634AAA5-5F76-4D58-B6E0-42465307EE5E} - C:\WINDOWS\system32\efedc.dll (file missing)
O2 - BHO: {dc7bbf1a-625a-7049-c5f4-60a4f444dbe4} - {4ebd444f-4a06-4f5c-9407-a526a1fbb7cd} - C:\WINDOWS\system32\pfauhocf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O20 - Winlogon Notify: eohfktqb - eohfktqb.dll (file missing)
O20 - Winlogon Notify: ljjggfe - C:\WINDOWS\SYSTEM32\ljjggfe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7390 bytes

thanks :)

Shaba
2008-10-22, 22:32
We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

tarix
2008-10-23, 00:35
Hi shaba,
sorry for the time taken but could'nt put my internet working on the other c: it as a new script file under automatic script configuration were should be automatic detect proxi settings apears this: http://localhost:9100/proxy.pac
and doesn't change or delete, no matter what I do, so I had to close that disc again and come back to this one :)

here is the combofix Raport:

ComboFix 08-10-14.07 - Paulo 2008-10-22 22:22:40.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT 1:00]
Executando de: C:\Documents and Settings\Paulo\Desktop\ComboFix.exe
Comandos utilizados :: C:\Documents and Settings\Paulo\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Paulo\Application Data\inst.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\cbbeg.ini
C:\WINDOWS\system32\cbbeg.ini2
C:\WINDOWS\system32\cdefe.ini
C:\WINDOWS\system32\cdefe.ini2
C:\WINDOWS\system32\eohfktqb.dllbox
C:\WINDOWS\system32\jkghje.dll
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\service.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_SERVICE.SYS
-------\Service_Iprip
-------\Service_MSControlService
-------\Service_NPF
-------\Service_service.sys
-------\Service_wer32


(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-22 to 2008-10-22 ))))))))))))))))))))))))))))
.

Nenhum ficheiro/arquivo criado durante este período

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 21:36 --------- d-----w C:\Documents and Settings\Paulo\Application Data\AVG7
2007-09-29 03:21 47,360 ----a-w C:\Documents and Settings\Paulo\Application Data\pcouffin.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D5A7CC7-E618-474C-94EE-265AC5768512}]
2008-03-04 02:04 300032 --a------ C:\WINDOWS\system32\gebbc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 1298432]
"Virtual Dimension"="C:\Program Files\Virtual Dimension\VirtualDimension.exe" [2005-07-09 446976]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 2097488]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-07-19 208946]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-24 282624]
"VisualTooltip"="C:\Program Files\VisualTooltip\VisualToolTip.exe" [2006-10-06 942080]
"Blaero Start Orb"="C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe" [2006-07-30 575488]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 307200]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-03-07 184408]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-19 579072]
"MsmqIntCert"="mqrt.dll" [2007-07-06 C:\WINDOWS\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 219136]

C:\Documents and Settings\Paulo\Start Menu\Programs\Startup\
Blaero Start Orb.lnk - C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe [2006-12-28 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-27 262944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjggfe]
2008-02-17 23:35 37376 C:\WINDOWS\system32\ljjggfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"msacm.avis"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]
--a------ 2003-05-20 07:56 49152 C:\Program Files\ScanSoft\OmniPagePro12.0\opware12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVRemote]
--------- 2002-01-29 03:12 61440 C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)
"Diskeeper"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Download Express\\dep.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\FolderShare\\FolderShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SAIG\\Surfulater\\Surfulater.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 u1pvdbs;SONY USB CAMERA Base Driver;C:\WINDOWS\system32\DRIVERS\u1pvdbs.sys [2001-11-27 6225]
R3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
R3 u1pvdsm;SONY USB CAMERA Video Capture Device;C:\WINDOWS\system32\DRIVERS\u1pvdsm.sys [2001-11-27 318419]
S2 NMSAccessU;NMSAccessU;C:\Program Files\CDBurnerXP\NMSAccessU.exe [ ]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 tbHD;Philips PSC705 WDM Driver;C:\WINDOWS\system32\drivers\TBirdHD.sys [2002-06-04 336066]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5593390-d671-11db-916e-00805a2069c9}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
Conteúdo da pasta 'Tarefas Agendadas'

2008-01-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

2008-03-04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-08 01:26]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{159A38AE-10F0-4353-AE86-A5BD8382A76C} - C:\WINDOWS\system32\nnnkk.dll
BHO-{4634AAA5-5F76-4D58-B6E0-42465307EE5E} - C:\WINDOWS\system32\efedc.dll
BHO-{4ebd444f-4a06-4f5c-9407-a526a1fbb7cd} - C:\WINDOWS\system32\pfauhocf.dll
BHO-{C03FD59D-9104-44B7-929A-9EAA0BA05211} - (no file)
HKLM-Run-WinampAgent - C:\Program Files\Winamp\winampa.exe
HKLM-Run-f8d8a0d3 - C:\WINDOWS\system32\nyunitqb.dll
HKLM-Run-avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Notify-eohfktqb - eohfktqb.dll


.
------- Scan Suplementar -------
.
FireFox -: Profile - C:\Documents and Settings\Paulo\Application Data\Mozilla\Firefox\Profiles\phz3d5dh.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.tvcabo.pt/default.aspx
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-22 22:32:34
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************
.
------------------------ Outros Processos em Execução ------------------------
.
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Paulo\LOCALS~1\temp\{416998BC-890B-4C9C-9B28-123BBC700932}\Blaero Start Orb.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-10-22 22:49:55 - Máquina reiniciou
ComboFix-quarantined-files.txt 2008-10-22 21:48:47

Pré-execução: 9.084.030.976 bytes free
Pós execução: 8,266,780,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

207 --- E O F --- 2008-02-14 03:39:29


and here is the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:16:11, on 22-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Paulo\Desktop\Tarix\tarix.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\system32\ljjggfe.dll
O2 - BHO: (no name) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - (no file)
O2 - BHO: (no name) - {159A38AE-10F0-4353-AE86-A5BD8382A76C} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {4634AAA5-5F76-4D58-B6E0-42465307EE5E} - (no file)
O2 - BHO: (no name) - {4ebd444f-4a06-4f5c-9407-a526a1fbb7cd} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8D5A7CC7-E618-474C-94EE-265AC5768512} - C:\WINDOWS\system32\gebbc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C03FD59D-9104-44B7-929A-9EAA0BA05211} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O20 - Winlogon Notify: eohfktqb - C:\WINDOWS\
O20 - Winlogon Notify: ljjggfe - C:\WINDOWS\SYSTEM32\ljjggfe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7331 bytes


thanks :) and sorry for the time and patience taken with me

Shaba
2008-10-23, 11:09
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\system32\gebbc.dll
C:\WINDOWS\system32\ljjggfe.dll


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

tarix
2008-10-23, 16:42
Hi Shaba,
Here are the reports from combofix and HijackThis you requested, I have to say that when runing combofix the first time it asked me to download a newer version since that was out of date (wich i did by going to the site you mentioned) I hope this doesn't interfere with the results, thanks

combofix report:

ComboFix 08-10-22.05 - Paulo 2008-10-23 13:53:11.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.556 [GMT 1:00]
Executando de: C:\Documents and Settings\Paulo\Desktop\ComboFix.exe
Comandos utilizados :: C:\Documents and Settings\Paulo\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\system32\gebbc.dll
C:\WINDOWS\system32\ljjggfe.dll
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebbc.dll
C:\WINDOWS\system32\ljjggfe.dll
C:\WINDOWS\temp\perflib_perfdata_1cc.dat

.
(((((((((((((((( Arquivos/Ficheiros criados de 2008-09-23 to 2008-10-23 ))))))))))))))))))))))))))))
.

Nenhum ficheiro/arquivo criado durante este período

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-22 21:36 --------- d-----w C:\Documents and Settings\Paulo\Application Data\AVG7
2007-09-29 03:21 47,360 ----a-w C:\Documents and Settings\Paulo\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-22_22.48.06.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-10-22 21:36:01 239,292 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-10-22 22:12:22 239,287 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-10-22 21:37:25 80,078 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-10-22 21:37:27 80,330 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-10-22 21:37:25 458,638 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-10-22 21:37:28 459,082 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-07-24 1298432]
"Virtual Dimension"="C:\Program Files\Virtual Dimension\VirtualDimension.exe" [2005-07-09 446976]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2007-07-19 208946]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 65536]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" [2006-09-24 282624]
"VisualTooltip"="C:\Program Files\VisualTooltip\VisualToolTip.exe" [2006-10-06 942080]
"Blaero Start Orb"="C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe" [2006-07-30 575488]
"Styler"="C:\Program Files\Styler\Styler.exe" [2006-05-03 307200]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 88024]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-03-07 184408]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-19 579072]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [BU]
"f8d8a0d3"="C:\WINDOWS\system32\nyunitqb.dll" [BU]
"MsmqIntCert"="mqrt.dll" [2007-07-06 C:\WINDOWS\system32\mqrt.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-19 219136]

C:\Documents and Settings\Paulo\Start Menu\Programs\Startup\
Blaero Start Orb.lnk - C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe [2006-12-28 575488]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-03-27 262944]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-11-21 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):76,69,73,74,61,75,69,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\eohfktqb]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"vidc.3iv2"= 3ivxVfWCodec.dll
"msacm.divxa32"= divxa32.acm
"VIDC.HFYU"= huffyuv.dll
"VIDC.VP31"= vp31vfw.dll
"vidc.ffds"= C:\Program Files\ffdshow\ffdshow.ax
"msacm.avis"= C:\Program Files\ffdshow\ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 16:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]
--a------ 2003-05-20 07:56 49152 C:\Program Files\ScanSoft\OmniPagePro12.0\opware12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVRemote]
--------- 2002-01-29 03:12 61440 C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\remoterm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"6to4"=2 (0x2)
"Diskeeper"=2 (0x2)
"iPod Service"=3 (0x3)
"InCDsrv"=2 (0x2)
"NBService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\mqsvc.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Download Express\\dep.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Core\\nero.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\FolderShare\\FolderShare.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\SAIG\\Surfulater\\Surfulater.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 u1pvdbs;SONY USB CAMERA Base Driver;C:\WINDOWS\system32\DRIVERS\u1pvdbs.sys [2001-11-27 6225]
S3 pctvvbi;PCTVVBI;C:\WINDOWS\system32\DRIVERS\pctvvbi.sys [2002-04-02 6369]
S3 tbHD;Philips PSC705 WDM Driver;C:\WINDOWS\system32\drivers\TBirdHD.sys [2002-06-04 336066]
S3 u1pvdsm;SONY USB CAMERA Video Capture Device;C:\WINDOWS\system32\DRIVERS\u1pvdsm.sys [2001-11-27 318419]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5593390-d671-11db-916e-00805a2069c9}]
\Shell\AutoRun\command - G:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe
.
Conteúdo da pasta 'Tarefas Agendadas'

2008-01-28 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2006-10-10 17:13]

2008-03-04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2006-07-08 01:26]
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{159A38AE-10F0-4353-AE86-A5BD8382A76C} - (no file)
BHO-{4634AAA5-5F76-4D58-B6E0-42465307EE5E} - (no file)
BHO-{4ebd444f-4a06-4f5c-9407-a526a1fbb7cd} - (no file)
BHO-{8D5A7CC7-E618-474C-94EE-265AC5768512} - C:\WINDOWS\system32\gebbc.dll
Notify-ljjggfe - ljjggfe.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-23 14:02:02
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************
.
------------------------ Outros Processos em Execução ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Tempo para conclusão: 2008-10-23 14:20:05 - Máquina reiniciou
ComboFix-quarantined-files.txt 2008-10-23 13:19:01
ComboFix2.txt 2008-10-22 21:49:56

Pré-execução: 9.081.970.688 bytes free
Pós execução: 9,122,836,480 bytes free

173 --- E O F --- 2008-02-14 03:39:29


HJT Log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:18, on 23-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Paulo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - (no file)
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O20 - Winlogon Notify: eohfktqb - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6669 bytes

many thanks for your time and patience :)

Shaba
2008-10-23, 16:56
That was correct thing to do :)

O2 - BHO: (no name) - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [f8d8a0d3] rundll32.exe "C:\WINDOWS\system32\nyunitqb.dll",b
16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} -
O20 - Winlogon Notify: eohfktqb - C:\WINDOWS\

Close all windows including browser and press fix checked.

Reboot.

Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif)

tarix
2008-10-24, 06:58
Hi Shaba,
here are the reports you requested, because we had made a full scan a few days ago with kaspery (including disc D:) and nothing as change on in this dic, I thought we could skip it this time and so I did only a full scan on C: , but if you wish I can run it again in full mode, let me know if its really necessary :)
Toguether I send you the latest report from HJT as requested

Kaspery Report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, October 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, October 24, 2008 00:40:58
Records in database: 1341152
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
C:\

Scan statistics:
Files scanned: 87089
Threat name: 10
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 01:59:24


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SeD Help\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Paulo\Desktop\1\Diverssos\Programas\MSN-Password-Recovery-setup.exe Infected: not-a-virus:PSWTool.Win32.MSNPassword.e 1
C:\Documents and Settings\Paulo\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Paulo\My Documents\LimeWire\Saved\o homem que sabe querer carlos.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe Infected: Trojan-Spy.Win32.Agent.ehl 1
C:\Program Files\Easy Video Downloader\VideoDownloader.exe Infected: Backdoor.Win32.Reload.bl 1
C:\Program Files\IncrediMail\bin\IncrediMail_Install.exe Infected: not-a-virus:Downloader.Win32.ImLoader.m 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gebbc.dll.vir Infected: Trojan.Win32.Monder.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jkghje.dll.vir Infected: Trojan.Win32.Agent.fgw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\service.exe.vir Infected: Trojan-Downloader.Win32.Small.ima 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_ljjggfe_.dll.zip Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1
C:\WINDOWS\system32\efedc.dll_old Infected: Trojan.Win32.Monder.gen 1
C:\WINDOWS\system32\vimc.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.e 1

The selected area was scanned.

HJT Report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:46:46, on 24-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Paulo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 6296 bytes

Thanks again for all the help you have giving me :)

Shaba
2008-10-24, 11:08
We need to upload some files next:

Please click this link-->Jotti (http://virusscan.jotti.org/)

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\vimc.exe
C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
C:\Program Files\Easy Video Downloader\VideoDownloader.exe

Repeat steps for all files on the list.

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

tarix
2008-10-24, 15:43
Hi Shaba,
here are the reports toy asked from VirusTotal (the other one is busy)
by the way my ie still have the same proxiserver script under "use automatic configuration script" this one: http://localhost:9100/proxy.pac

reports:

Arquivo vimc.exe

MD5: 783612616e4222503de7f3babb981992
First received: 2007.02.04 19:40:10 (CET)
Data 2008.10.16 12:17:11 (CET) [>8D]
Resultados 10/36
Permalink: analisis/4ca9aeddad1e2d3ca0870c827a909a4c

Arquivo vimc.exe recebido em 2008.10.16 12:17:11 (CET)
Andamento: terminado

Resultado: 10/36 (27.78%)
Modo compacto Imprimir resultados
Antivírus Versão Última Atualização Resultado
AhnLab-V3 - - -
AntiVir - - -
Authentium - - W32/HackToolX.KI
Avast - - -
AVG - - -
BitDefender - - -
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - Tool.CloseApp
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/HackToolX.KI
F-Secure - - RiskTool.Win32.CloseApp.e
Fortinet - - HackerTool/CloseApp
GData - - -
Ikarus - - not-a-virus:RiskTool.Win32.CloseApp.a
K7AntiVirus - - not-a-virus:RiskTool.Win32.CloseApp.a
Kaspersky - - not-a-virus:RiskTool.Win32.CloseApp.e
McAfee - - potentially unwanted program Generic PUP
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - -
PCTools - - -
Prevx1 - - -
Rising - - -
SecureWeb-Gateway - - -
Sophos - - -
Sunbelt - - -
Symantec - - -
TheHacker - - -
TrendMicro - - -
VBA32 - - -
ViRobot - - Not_a_virus:RiskTool.CloseApp.414223
VirusBuster - - -
Informações adicionais
MD5: 783612616e4222503de7f3babb981992
SHA1: 4babaffe83e76e0f181f1ffe45b37bee4be0d807
SHA256: e2345fe0c7dc381cb514cae005d8bf9040c0a8907d6dded1f2b1133cfbe2b5fd
SHA512: e7bd71eefa36f624c1a57f9541725f2ab03609f43ebd7269351f93b1cfa4d42cc126a209b739a508b9039d6e758185b90559beb64534124488d1419abc5309a1


report:Vista_Orb.exe

MD5: 3e1e0307ba77c465ca2991627583edc9
First received: 2008.06.24 13:13:31 (CET)
Data 2008.10.22 10:02:38 (CET) [>2D]
Resultados 16/36
Permalink: analisis/6f0d57129b112f67b56ea7280caa177d

Arquivo Vista_Orb.exe recebido em 2008.10.22 10:00:28 (CET)
Andamento: terminado

Resultado: 16/36 (44.44%)
Modo compacto Imprimir resultados
Antivírus Versão Última Atualização Resultado
AhnLab-V3 2008.10.22.0 2008.10.22 Win-Trojan/Agent.575488.I
AntiVir 7.9.0.5 2008.10.21 TR/Spy.Agent.ehl
Authentium 5.1.0.4 2008.10.22 -
Avast 4.8.1248.0 2008.10.21 -
AVG 8.0.0.161 2008.10.21 -
BitDefender 7.2 2008.10.22 -
CAT-QuickHeal 9.50 2008.10.21 TrojanSpy.Agent.ehl
ClamAV 0.93.1 2008.10.22 Trojan.Dropper-10500
DrWeb 4.44.0.09170 2008.10.22 -
eSafe 7.0.17.0 2008.10.19 Win32.Agent.ehl
eTrust-Vet 31.6.6162 2008.10.21 -
Ewido 4.0 2008.10.21 Dropper.Agent.tor
F-Prot 4.4.4.56 2008.10.21 -
F-Secure 8.0.14332.0 2008.10.22 Trojan-Spy.Win32.Agent.ehl
Fortinet 3.113.0.0 2008.10.22 -
GData 19 2008.10.22 -
Ikarus T3.1.1.44.0 2008.10.22 Trojan-Spy.Win32.Agent.ehl
K7AntiVirus 7.10.501 2008.10.21 Trojan-Spy.Win32.Agent.ehl
Kaspersky 7.0.0.125 2008.10.22 Trojan-Spy.Win32.Agent.ehl
McAfee 5411 2008.10.22 -
Microsoft 1.4005 2008.10.22 -
NOD32 3544 2008.10.21 probably a variant of Win32/Spy.Agent
Norman 5.80.02 2008.10.21 -
Panda 9.0.0.4 2008.10.22 -
PCTools 4.4.2.0 2008.10.21 -
Prevx1 V2 2008.10.22 Cloaked Malware
Rising 20.67.21.00 2008.10.22 -
SecureWeb-Gateway 6.7.6 2008.10.21 Trojan.Spy.Agent.ehl
Sophos 4.34.0 2008.10.22 -
Sunbelt 3.1.1742.1 2008.10.21 -
Symantec 10 2008.10.22 -
TheHacker 6.3.1.0.123 2008.10.22 -
TrendMicro 8.700.0.1004 2008.10.22 TROJ_DROPPER.DAX
VBA32 3.12.8.8 2008.10.22 Trojan-Spy.Win32.Agent.ehl
ViRobot 2008.10.22.1431 2008.10.22 Spyware.Agent.575488
VirusBuster 4.5.11.0 2008.10.21 -
Informações adicionais
File size: 575488 bytes
MD5...: 3e1e0307ba77c465ca2991627583edc9
SHA1..: 022f34174ec322f3bcabbf6ee2a9be85b322ee83
SHA256: 4d4c9daf339ea8eb6db710e49c8404c5f7d7e85f67eb05191818edcaf44134a9
SHA512: 7b9751ca85886236548e5cc28fb62baf43711192fc818c828b89dbbbd7a903cf
05f75567a05a2cc43cc002d9325dc5dc6d3cb2021faff0e216bfeb79de17608a
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4059a4
timedatestamp.....: 0x42235f2d (Mon Feb 28 18:13:01 2005)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xb634 0xb800 6.64 c0dca641f36a4f6dcc4153892003c351
.rdata 0xd000 0x29d8 0x2a00 5.43 e23551ba1ceb07fcd8efa4e320c2d112
.data 0x10000 0x3d8c 0x1e00 2.41 f4e5a9e48537cf870570369f89b4db2a
.rsrc 0x14000 0x7c2ec 0x7c400 7.97 25ba956c20c796daf742f7c030c4a9b5

( 6 imports )
> SHLWAPI.dll: PathRemoveFileSpecW, PathFileExistsW, PathIsDirectoryW, PathGetArgsW, PathStripPathW
> KERNEL32.dll: GetSystemInfo, MultiByteToWideChar, lstrlenA, CreateDirectoryW, lstrcpyW, lstrlenW, CloseHandle, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetFileTime, CreateFileW, lstrcpynW, DeleteFileW, WriteFile, LockResource, LoadResource, SizeofResource, GetTempFileNameW, GetTempPathW, RemoveDirectoryW, FindClose, lstrcmpW, FindNextFileW, FindFirstFileW, SetLastError, Sleep, GetSystemDirectoryW, MoveFileW, lstrcatW, GetModuleFileNameW, GetCommandLineW, VirtualProtect, GetLocaleInfoA, FindResourceW, HeapCreate, GetStringTypeW, GetStringTypeA, LCMapStringW, LCMapStringA, HeapSize, HeapFree, HeapAlloc, ExitProcess, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, GetVersionExA, HeapDestroy, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, VirtualAlloc, HeapReAlloc, GetLastError, QueryPerformanceCounter, GetTickCount, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, GetModuleFileNameA, ReadFile, SetHandleCount, GetStdHandle, GetFileType, SetFilePointer, GetProcAddress, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, TlsAlloc, TlsFree, TlsSetValue, TlsGetValue, InitializeCriticalSection, RtlUnwind, InterlockedExchange, VirtualQuery, SetStdHandle, FlushFileBuffers, LoadLibraryA, GetACP, GetOEMCP, GetCPInfo, SetEndOfFile
> USER32.dll: DispatchMessageW, KillTimer, PostQuitMessage, wsprintfW, SetTimer, TranslateMessage, GetMessageW
> ADVAPI32.dll: RegCloseKey, RegQueryValueExW, RegOpenKeyExW
> SHELL32.dll: ShellExecuteExW
> ole32.dll: CoCreateGuid, StringFromGUID2

( 0 exports )

Prevx info: http://info.prevx.com/aboutprogramtext.asp?PX5=B50F4A5000E158B7D00D000320E3D00090F780C8
ThreatExpert info: http://www.threatexpert.com/report.aspx?md5=3e1e0307ba77c465ca2991627583edc9



Report:Arquivo VideoDownloader.exe

MD5: ba2748f821af942858ef43d4d6d30a0c
First received: 2008.05.07 23:06:07 (CET)
Data 2008.10.23 05:58:05 (CET) [+1D]
Resultados 19/36
Permalink: analisis/778f2ac91c45c0a854e0a5414f056f7e

Arquivo VideoDownloader.exe recebido em 2008.10.23 05:58:05 (CET)
Andamento: terminado

Resultado: 19/36 (52.78%)
Modo compacto Imprimir resultados
Antivírus Versão Última Atualização Resultado
AhnLab-V3 - - -
AntiVir - - BDS/Reload.BL
Authentium - - W32/Backdoor2.AOMU
Avast - - Win32:Trojan-gen {Other}
AVG - - BackDoor.Generic9.AMAG
BitDefender - - Backdoor.Generic.73112
CAT-QuickHeal - - -
ClamAV - - -
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - Backdoor.Reload.bl
F-Prot - - W32/Backdoor2.AOMU
F-Secure - - Backdoor.Win32.Reload.bl
Fortinet - - W32/Reload.BL!tr.bdr
GData - - Backdoor.Generic.73112
Ikarus - - Backdoor.Win32.Reload.bl
K7AntiVirus - - -
Kaspersky - - Backdoor.Win32.Reload.bl
McAfee - - -
Microsoft - - -
NOD32 - - -
Norman - - -
Panda - - Bck/Reload.H
PCTools - - -
Prevx1 - - System Back Door
Rising - - -
SecureWeb-Gateway - - Trojan.Backdoor.Reload.BL
Sophos - - Mal/Generic-A
Sunbelt - - -
Symantec - - Backdoor.Trojan
TheHacker - - Backdoor/Reload.bl
TrendMicro - - -
VBA32 - - Backdoor.Win32.Reload.bl
ViRobot - - -
VirusBuster - - -
Informações adicionais
MD5: ba2748f821af942858ef43d4d6d30a0c
SHA1: 185c36f57a6f7f90a6ffafd9bedba3908987d735
SHA256: 4a2fd1fd8dd3ad2be00c0f4088b5067c462d487fe18ba483048d84d9588d18f5
SHA512: 673a09c48f290189e284a8675b2949d8de2861fe6c8c4c2cb2e7c39f451271c4441ccff141b529d832ca786f36cb2a848caabeb3f06f11c54262e4143d05f83b


thanks again :)

Shaba
2008-10-24, 19:05
Do you recognize this file or folder?

C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

tarix
2008-10-25, 01:57
Hi Shaba,
Yes I do it's from Vtp7 (Vista Transformation Pack/ a pack that changes only the look of windowsXp and that program just changes a litle bit the start menu button, making it completly round all the time) it should be safe (at least a thought so, especially because ist's instaled also on the other c: that we cleaned before and never before gave any reason for alarm?! ) it's strange...?! :blink:

Shaba
2008-10-25, 12:11
I see.

Then it is a false positive.

Delete these:

C:\WINDOWS\system32\vimc.exe
C:\Program Files\Easy Video Downloader
C:\WINDOWS\system32\efedc.dll_old
C:\Documents and Settings\Paulo\My Documents\LimeWire\S

Empty theis folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

tarix
2008-10-25, 21:50
Hi Shaba,
done it!
Along with it unistaled this programs/updates, run a defragmentation and made a fresh new HJT Log (hope it's ok and don't interfere with what we are doing) :

Uninstaled Programs:

Adaware 2007 (went to regestry and delete those entries to)
iTunes (went to regestry and delete those entries to)
iPod (went to regestry and delete those entries to)

Serif 3D plus 2.0
Serif Draw Pluls 4.0
Serif Page Plus Se 1.0
Serif Web Plus 6.0
Y!Messenger Plus
Yahoo! Browser services
Yahoo Mail
Yahoo Messenger

Uninstaled Updates:

Adobe acrobat reader 7.09 to Adobe acrobat reader 9
J2se 5.0 update 6
J2se 5.0 update 9
Java(tm)6 update 1
Java(tm)6 update 2
Java(tm)6 update 3

wanted to update AVG, S&d and Sywareblaster for the newer versions but didn't know if i should already.
windows is asking to update but didn't know if i should already to. :)
Runned a defrag.

Runned HJT and made a new fresh HJT log (down there) :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:20, on 25-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\Program Files\Virtual Dimension\VirtualDimension.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Paulo\LOCALS~1\Temp\{2203FDD0-F31C-4231-B8CA-2EDEF95CFBD0}\Blaero Start Orb.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\LClock\lclock.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paulo\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Virtual Dimension] C:\Program Files\Virtual Dimension\VirtualDimension.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7280 bytes

this entrance still apears under the automatic proxi settings on the ie7 menu/conections/lan settings i think it's from google but i unistaled/deleted all google programs also:sad::
[B]http://localhost:9100/proxy.pac

The computer is still sluguish and a litle bite unstable, sometimes (a lots of times) it's dificult to start and to start a program (takes a lot of time) and sometimes freezes for a wile before opening that program. :(

for the rest i could't test with S&D (still the old one and out for the moment :) ) but i feel that it's much better (those anoying popups don't apear, althoug teatimer is off i think they will not apear again)


Thanks for all the help :)

Shaba
2008-10-25, 21:52
For general slowness, see here (http://www.malwareremoval.com/tutorials/runningslowly.php) and post back if it helped :)

tarix
2008-10-25, 21:53
P.S- the update windows is trying to instaled is the service pack 3 although i have most of the updates that are in there.

tarix
2008-10-25, 22:12
Hi Shaba,
Done it :)
help a litlle bit, thanks :)
the only thing i did't do was to remove all but your last System Restore Point, didn't knew if this was the correct time to do it

tarix
2008-10-25, 22:51
Run win patrol and helped a litlle bit, thanks :)
do you wish a report from win patrol?

the only thing i did't do was to remove all but your last System Restore Point, didn't knew if this was the correct time to do it, so i'll wait to hear you say it ok

p.s- also this entrance still apears under the automatic proxi settings on the ie7 menu/conections/lan settings i think it's from google and the last time (2/3 years ago) i instaled did the same slowness and instability, but i unistaled/deleted all google programs:

http://localhost:9100/proxy.pac

Shaba
2008-10-26, 11:43
Yes, it can wait a bit :)

How much RAM you have?

tarix
2008-10-26, 15:31
Hi Shaba,
I have 750Mb of Ram :)

Shaba
2008-10-26, 16:04
OK, that should be fine then.

Is that proxy setting enabled or disabled there?

tarix
2008-10-26, 16:08
Hi Shaba,
that proxi is disabled (altough I can't deleted when I enable it and try to delet it and disable it again), it like no matter what I do it still stands there :sad:

Shaba
2008-10-26, 16:11
Let's check this next:

Please download the Registry Search tool here (http://www.billsway.com/vbspage/vbsfiles/RegSrch.zip)
Save it to the desktop, unzip and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for http://localhost:9100/proxy.pac and click OK. Post the logfile from the tool here for me.

tarix
2008-10-26, 16:29
Hi Shaba,
It gaves the folowing report:no instace of http://localhost:9100/proxy.pac found but if I make the search between coma ("http://localhost:9100/proxy.pac") the windows sript host gives me the folowing error:

Sript: C:|Documents and settings\Paulo\Desktop\RegSrch.vbs
Line: 40
Char: 5
Error: Out of string space: "Split"
Code: 800A000E
Source: Microsoft VBScript runtime error

Shaba
2008-10-26, 19:40
Please do another search with proxy.pac and post back if any results.

tarix
2008-10-26, 20:20
Hi Shaba,
it as found something I belive, here is the log:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "proxy.pac" 26-10-2008 18:16:41

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\S-1-5-21-1715567821-1060284298-854245398-1006\Software\Microsoft\Windows\CurrentVersion\Webcheck\Store.1\{5E989700-36E0-01C9-0000-0000F1D9467F}]
@="How To Remove Http--localhost9100-proxy.pac"

hope this log was done correctly
thanks again

Shaba
2008-10-26, 20:23
Yes but that is not the one.

Can you please take a screenshot from that window and upload it to like imageshack.us?

tarix
2008-10-26, 21:01
Hi Shaba,
Did it but zipped because of the size (tryed to take a complete screensot of desktop, didn't knew if you wanted but the image is to big even after zipped to post it here) anyhow if you what it I can send it to you, i've keep it
thanks :)

Shaba
2008-10-26, 21:21
Sorry I might said it in a way that it is easy to misunderstand :oops:

I meant that if you could take a screenshot from IE settings where that proxy.pac is.

tarix
2008-10-26, 21:57
Hi Shaba,
Thats ok, I took a picture for every step I usually do, as you can see the 1st and the 5th are the same (that thing is allways there even if I tryed to delete it, steps 2, 3 and 4)

thanks :)

Shaba
2008-10-26, 22:12
Yes it seems to come back.

Anyway, it looks like not to be default which is good.

I could re-direct you for that to some windows forum unless you don't have any malware issues left?

tarix
2008-10-26, 22:30
Hi Shaba,
Thanks :)
It would be nice if you could redirect me then. :)
For the moment it doesn't seems I have other malware issues left, I just have to re-enable S&D, update de AVG antivirus and make a new clean restore point, either on this C: and as well on the other C: to, but I'll wait for your instructions, I thought it was better to resolve this thing first and then proceed to the above, but as I sad before, I'll wait for your instructions. :)

Thanks a LOT for evrything !!! :2thumb:

Shaba
2008-10-27, 10:21
Great :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

I recommend this (http://forums.pcpitstop.com/index.php?) place.

Please download JavaRa (http://sourceforge.net/project/downloading.php?groupname=javara&filename=JavaRa.zip&use_mirror=osdn) and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

Double-click on JavaRa.exe to start the program.
From the drop-down menu, choose English and click on Select.
JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
A logfile will pop up. Please save it to a convenient location.

Then download and install Java Runtime Environment (JRE) 6 Update 10 (http://java.sun.com/javase/downloads/index.jsp).

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) Comodo (http://www.personalfirewall.comodo.com/download_firewall.html) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage")
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) PC Tools (http://www.pctools.com/firewall/download/)
4) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
5) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za) (uncheck ZoneAlarm Spy Blocker during installation if you choose this one)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Now lets uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.

Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.


Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and re-enable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Re-enable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Update your AntiVirus Software and keep your other programs up-to-date Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector (http://secunia.com/software_inspector/)
F-secure Health Check (http://www.f-secure.com/weblog/archives/00001356.html)

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:

Malwarebytes' Anti-Malware Setup Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1644)

Malwarebytes' Anti-Malware Scanning Guide (http://www.bfccomputers.com/forum/index.php?showtopic=1645)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer. See also a hosts file tutorial here (http://malwareremoval.com/forum/viewtopic.php?t=22187)
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://forums.spybot.info/showthread.php?t=279)

Happy surfing and stay clean! :bigthumb:

tarix
2008-10-28, 04:06
Hi Shaba,
Thanks for all the help you have been given to me :) :) :)
I did what you said and so here it goes:

Java Runtime Environemet (JRE) 6 update 10: instaled and running sucssecefully

ComboFix: uninstalled sussecefully

OTCleanIt: uninstalled sussecefully all the aplications and itself

AVG 8 Antivirus: Updated sussecefully

SpywareBlaster: Updated sussecefully

S&D: Updated sussecefully

Malwarebytes' Anti-Malware: instaled and Updated sussecefully

Winpatrol: instaled and Updated sussecefully

Windows: new updates installed

Internet Explorer more secure Done!!

system restore: deleted all the old restore points and create a new one sussecefully

Firewall: Could not installed a firewall :( (aparently gives me conflicts with my service provider or i don't know (tryed all of them and had to unistalled), the internet doesen't work/open anymore)
As i have a router with firewall included hope this helps a litle bit, i'll just have to be more carefull I guess :)

So did a defragmentation and it's running very good, manny thanks :) :)

one last question:what about the other C: we'r working on?(the first one) should I proceed and do the same as this one? or there are other procedures that I should take care of?


here is the the last HJT log file from this C: so you can check if evrything looks good and ok: :)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:56:07, on 28-10-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LClock\LClock.exe
C:\Program Files\VisualTooltip\VisualToolTip.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\DOCUME~1\Paulo\LOCALS~1\Temp\{B9651638-4A36-4E17-BC65-CAC452F05CE9}\Blaero Start Orb.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Rainlendar2\Rainlendar2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Desktop Search\WindowsSearchFilter.exe
C:\Documents and Settings\Paulo\Desktop\Tarix\tarix.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvcabo.pt/default.aspx
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENWW/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe
O4 - HKLM\..\Run: [VisualTooltip] C:\Program Files\VisualTooltip\VisualToolTip.exe
O4 - HKLM\..\Run: [Blaero Start Orb] C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - HKLM\..\Run: [Styler] C:\Program Files\Styler\Styler.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Blaero Start Orb.lnk = C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/229?35b1d24c099143fa83118090ba2e25e1
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-ww\msntabres.dll.mui/230?35b1d24c099143fa83118090ba2e25e1
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 7643 bytes


many thanks again :wav:

Shaba
2008-10-28, 15:34
"As i have a router with firewall included hope this helps a litle bit, i'll just have to be more carefull I guess"

Yes that is fine then :)

"one last question:what about the other C: we'r working on?(the first one) should I proceed and do the same as this one? or there are other procedures that I should take care of?"

Yes same procedures are meant also for that other C:

tarix
2008-10-28, 17:06
Hi Shaba,
Thanks For All The Time and Patience to Help me, You're the Best You're Great Than You !!!
:wav:

Shaba
2008-10-30, 10:58
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.