Win32.Zhelatin.k recurring (RE-OPENED)

**Benzmum** · 2007-06-29, 04:17

Hi. I run Spybot once a week, and I keep getting alerts that I have Win32.Zhelatin.k on my system. I choose Fix and then re-run Spybot and the trojan is gone. I posted a question about this in Spybot S&D at http://forums.spybot.info/showthread...latin.k&page=2, but Tashi suggested I'd best come over here and lay out what's happening.

I've run the preliminaries, including an online eTrust scan which came up with "130672 files scanned. No viruses found. No infections." I have all the latest updates, including SP2, having set Windows XP to announce whenever therer's one to download. I run Windows Defender weekly. I also run AVG and AdAware, and I've set my browser so only well-trusted sites can download cookies and I've got ActiveX set for prompt only. I'll post my HiJackThis log at the end of this.

I don't understand why I keep getting the same trojan coming up each week. I also get an alert called Microsoft.WindowsSecurityCenter.FirewallBypass, which mystifies me and which I fix whenever it comes up. My Windows firewall is always on whenever I go online, so I don't know what this alert means.

Here's my HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 6:55:27 PM, on 28/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\system32\S3apphk.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\NCLAUNCH.EXe
C:\Program Files\Messenger\msmsgs.exe
C:\OPLIMIT\ocrawr32.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\Big Ben\BigBen.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/#subject:ask|pg:1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F3 - REG:win.ini: load=C:\OPLIMIT\ocraware.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O3 - Toolbar: &hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NCLaunch] C:\WINDOWS\NCLAUNCH.EXe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Folding@Home 5.03.lnk = ?
O4 - Startup: Shortcut to BigBen.exe.lnk = C:\Program Files\Big Ben\BigBen.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://www.netfile.gc.ca
O15 - Trusted Zone: http://www.symantecstore.com
O15 - Trusted Zone: http://www.ufile.ca
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://downloadcenter.samsung.com/co...rolLite_EN.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.busonline.ca/activex/ScriptX.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tech...l/LSSupCtl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.co...veX/winrep.cab
O16 - DPF: {5CB1506E-1DEA-4E63-89A7-E40E52AEA1FD} (OnagerCtrl Class) - http://fulfillment.puretracks.com/onager.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/reso...scbase8460.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1180060010109
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {72A851B1-3F75-45ED-9B59-339AC85A3F7D} (moontaxidownload Control) - https://www.puretracks.com/moontaxidownload.ocx
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ce/install.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab55579.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security1.norton.com/SSC/Shar.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Service Client v.3.4) - http://ccon.futuremark.com/global/msc34.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/tech...ActiveData.cab
O16 - DPF: {E9348280-2D74-4933-BE25-73D946926795} (DeviceEnum Class) - http://h20270.www2.hp.com/ediags/gmn...detection3.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - http://isupport4.hp.com/motivedocs/l...er/MotUtil.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/sj/en/check/qdiagh.cab?319
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

**Mr_JAk3** · 2007-06-29, 17:54

Hello Benzmum

Ok at first I'd like to see the Spybot S&D's scan log (update the definitions and run a new scan first). So please post that part that shows the infections to here

**Benzmum** · 2007-06-30, 04:24

MrJak3, the last run I did was after I'd "fixed" the problems listed, and at that time everything came up clean which it did last week as well. But then within a week the same trojan comes back. I have no idea how to obtain a Spybot log - I didn't know it was actually possible. But here's what I got the last time I was alerted to infections:

Problem
Microsoft.WindowsSecurityCenter.FirewallBypass
Settings
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile [there may have been more at the end of that line, but I didn't get the rest - I'm typing this from a screenshot I took]
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Win32.Zhelatin.k
Settings
HKEY_USERS\S-1-5-21-3293823761-4021508746-203944788-1003\Software\Microsoft\Windows\ShellNoRoam\M [missed the end of this too]

So does that mean anything to you?

**Mr_JAk3** · 2007-06-30, 15:30

Hello

Those don't look dangerous though I would like to see everything from the second entry....

Let's run one scan just in case...

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

**Benzmum** · 2007-07-02, 00:00

Hi Mr_Jak3. I've just completed my Kaspersky scan as instructed (took 4 hours), and it says I'm infected. I selected Save report as and chose text, and here's what I got:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 01, 2007 2:42:27 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/07/2007
Kaspersky Anti-Virus database records: 356263
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 150066
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 03:53:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-12102006-162857.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Documents\ARocha\Kenya.gif.shs Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EB923B24-EC8B-43D5-9C52-C1C84FC10AC5} Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\hp\bin\KillWind.exe Infected: not-a-virus:RiskTool.Win32.PsKill.p skipped
C:\Program Files\Folding@Home\FAHlog.txt Object is locked skipped
C:\Program Files\Folding@Home\work\logfile_00.txt Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.arc Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.bed Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.goe Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.log Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.sas Object is locked skipped
C:\Program Files\Folding@Home\work\wudata_00.xtc Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{07067F02-601B-445E-AF8E-8602C05A674E}\RP162\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migapp.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz_a.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\ups.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ318966$\spuninst\Q318966.log Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00005 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00008 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00009 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00010 Object is locked skipped
C:\WINDOWS\$NtUninstallQ323172$\reg00011 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\TMP000000FB6C71CDB0B079B3C2 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

I can't see where it tells me what virus I've got. I took a screenshot of the window at the end of the screen, which I could send if you tell me how (assuming it's useful). Is the above enough information for you?

I sure hope there wasn't something else I needed to do because I'd hate to have to re-do the scan.

**Mr_JAk3** · 2007-07-02, 20:54

Hello

Ok the infection Kaspersky discovered isn't really an infection. It is just a tool from your pc's manufacturer that is flagged as a risk tool.

I need to see the exact info about the Win32.Zhelatin.k in Spybot log.

Let's do this.

Open Spybot S&D
Click on the "Recovery"
Then click on the Win32.Zhelatin.k infection that has been fixed.
Now click on the checkmark so that the entry get's expanded.

Copy the whole info about this infection to here. (if you still can't see the whole entry, try moving the border in the grey bar (next to "backup" text))

**Benzmum** · 2007-07-03, 00:16

Will do, boss!

**Benzmum** · 2007-07-03, 00:31

I've made a screenshot of the window containing the info re Win32.Zhelatin.k, but I'll copy what it says below. There are 3 checked lines below the Win32.Zhelatin.k line:
HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\x\greeting card.exe [Date 26/06/2007 5:18.21 PM]
HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\x\greeting card.exe [Date 20/06/2007 12:46:03 PM]
HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\x\greeting card.exe [Date 05/06/2007 2:37:16 PM]

P.S. My computer's painfully slow this afternoon, and I can't see any unusual processes running. I did get a travelocity ad playing on my media player about an hour ago - don't know how that got there. I try to be so careful.

**Mr_JAk3** · 2007-07-03, 18:17

Hello

Ok we may try to delete this manually, looks like a leftover....

Backup your registry:

Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[-HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\x\greeting card.exe]

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Use the Windows search

Start
Search
All files and folders
More advanced options

Checkmark these options:

"Search system folders"
"Search hidden files and folders"
"Search subfolders"
Search for this and delete if found: greeting card.exe

Generate a HijackThis Startup list:
Open HijackThis:

Click on "Open the Misc Tools Section"
Check the following boxes to the right of "Generate StartupList Log":
- List also minor sections (Full)
- List empty sections (Complete)
Click "Generate StartupListLog"
Click "Yes" at the prompt.
A Notepad window will open with the contents of the HijackThis Startup list displayed
Copy & Paste that log to here

**Benzmum** · 2007-07-03, 18:25

Just finished a Spybot scan, and Win.Zhelatin.k is back again, same settings as previous weeks. I've seen your posting regarding fixing my registry and I'll read that carefully, but I wanted you to see this while I have it:

Win32.Zhelatin.k
Settings
HKEY_USERS\S-1-5-21-3293823761-4021508746-2703944788-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\x\greeting card.exe

Thread: Win32.Zhelatin.k recurring (RE-OPENED)

Thread Tools

Display

Win32.Zhelatin.k recurring (RE-OPENED)

Spybot run

Kaspersky online scan

Spybot

Recovery

It's ba-aack

Posting Permissions