Jump to content
Reagan72

cant use task manager

Recommended Posts

Thanks,

sorry about that

MBAM LOG:

Malwarebytes' Anti-Malware 1.25

Database version: 1099

Windows 5.1.2600 Service Pack 1

10:58:52 PM 8/30/2008

mbam-log-08-30-2008 (22-58-48).txt

Scan type: Quick Scan

Objects scanned: 47491

Time elapsed: 10 minute(s), 31 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 3

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 8

Memory Processes Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hbkernel (Rootkit.OnlineGames) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4PYRSLMB\update[1].gif (Spyware.OnlineGames) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C52F4PAZ\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\C52F4PAZ\abb[1].gif (Trojan.Downloader) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> No action taken.

C:\WINDOWS\system32\drivers\HBKernel.sys (Rootkit.OnlineGames) -> No action taken.

Share this post


Link to post
Share on other sites

I don't quiet understand why you aren't following my instructions.

Okay.. One last try at this...

1. Make sure your PC is in normal mode.

2. Start MBAM, Update it

3. Select Quick Scan

4. Remove selected items (This is extremely important!)

5. Reboot your PC normally (Your computer absolutely must get to the windows is shutting down screen, It has got to be able to save current settings)

6. Scan your PC again with MBAM, post this log as well as a fresh log from hijackthis.

Share this post


Link to post
Share on other sites

Sorry,

I promise you I followed all your instructions this time

MBAM LOG:

Malwarebytes' Anti-Malware 1.25

Database version: 1099

Windows 5.1.2600 Service Pack 1

2:07:03 AM 8/31/2008

mbam-log-08-31-2008 (02-06-57).txt

Scan type: Quick Scan

Objects scanned: 52133

Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> No action taken.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> No action taken.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DVJJL5WE\c12345[1].jpg (Trojan.Unclassified) -> No action taken.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> No action taken.

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:07:15 AM, on 8/31/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\wanmpsvc.exe

c:\g3g6r8w3c2f7.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl

y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll

H

Bmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa

.

dllHBmhly.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O21 - SSODL: comuidsg.dll - {898E02AB-9372-4a2c-9C4A-FFE1AF61097F} - C:\WINDOWS\System32\comuidsg.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6858 bytes

Share this post


Link to post
Share on other sites

Strange, MBAM is still detecting things and reporting that you aren't taking any action. Please! Allow mbam to remove anything it finds, and reboot your pc into normal mode. Repeat this until MBAM finds nothing else. Ok?

Share this post


Link to post
Share on other sites

Okay,

g3g6r8w3c2f7.exe wont be deleted. When MBAM says it will delete it on reboot, it always still shows up. (I am allowing it to shutdown and restart in normal mode without any interference, though I do get back to MBAM and start another scan about 4 minutes after the desktop background with all the icons comes up. Am I getting it enough time?) When I try to delete it by first sending it to the recycling bin, I always get the message "Cannot delete g3g6r8w3c2f7: Access is denied. Make sure the disc is not full or write-protected and that the file is not currently in use"

Malwarebytes' Anti-Malware 1.25

Database version: 1101

Windows 5.1.2600 Service Pack 1

3:26:37 PM 8/31/2008

mbam-log-08-31-2008 (15-26-37).txt

Scan type: Quick Scan

Objects scanned: 1

Time elapsed: 2 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> Delete on reboot.

g3g6r8w3c2f7.zip

g3g6r8w3c2f7.zip

Share this post


Link to post
Share on other sites

just another note, I just realized it is being created everytime the computers restarts

Share this post


Link to post
Share on other sites

Lets head to the Other Tools Tab. There you will see an icon for File Assassin.

Click run tool, then select that offending file and reboot as requested.

Then scan again and post a fresh hjt log as well as a fresh MBAM log, Please be sure you update to the latest defs before scanning.

Share this post


Link to post
Share on other sites

Thanks,

Malwarebytes' Anti-Malware 1.25

Database version: 1102

Windows 5.1.2600 Service Pack 1

8:58:33 PM 8/31/2008

mbam-log-08-31-2008 (20-58-33).txt

Scan type: Quick Scan

Objects scanned: 54217

Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> Unloaded process successfully.

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

c:\g3g6r8w3c2f7.exe (Trojan.Unclassified) -> Quarantined and deleted successfully.

C:\WINDOWS\linkinfo.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\system32\drivers\cdralw.sys (Trojan.Alman) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\QQ_Update.cab (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\075V6YR9\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\075V6YR9\c12345[1].jpg (Trojan.Unclassified) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\D0WVHD41\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\DVJJL5WE\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:01:35 PM, on 8/31/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [HBService] explore.exe

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl

y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll

H

Bmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa

.

dllHBmhly.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - C:\Program Files\Messenger\msgmr.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 6386 bytes

Share this post


Link to post
Share on other sites

still there Raid,

ran assassin tool, said it could not delete file but restarted. Booted back up, ran mbam(tried updating, i had the latest version) it found infected objects, I 'removed' them but copied and replied here with the log after it 'removed' the objects as well as the hijackthis log, then i let it restart. When it came back up i looked and found the .exe file still there.

Share this post


Link to post
Share on other sites

Never mind,

task manager is working this time around. I was able to go into task manager, stop the process of the file, then delete it. I will now run MBAM, if it finds anything, let it remove it, then reboot, run it again along with hijackthis and post both logs.

Share this post


Link to post
Share on other sites

Okay, I want you to click and remove the following items with Hijackthis:

O1 - Hosts: 127.0.0.3 adlaji.cn

O1 - Hosts: 127.0.0.l www.xxie.net

O1 - Hosts: 127.0.01 www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [HBService] explore.exe

O20 - AppInit_DLLs: aaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhl

y.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dll

H

Bmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa.dllHBmhly.dllaaa

.

dllHBmhly.dll

After selecting them for removal with Hijackthis, reboot your pc normally. Next I'd like you to load gmer, hit the scan button and provide the entire logfile here please. I am going to examine this executable in closer detail. I haven't learned much from the executable itself. Although something is still present on your PC, most likely... So, were going to try something different to kill this off for you.

First, I want you to go here and download sysclean:

http://www.trendmicro.com/download/dcs.asp You will need to download two additional files, one for viruses and the other for spyware.

Instructions for which ones to download are found here:

http://www.trendmicro.com/ftp/products/tsc/readme.txt

After doing all of this, please post back your results; including the logfile that will be left behind by sysclean.

Share this post


Link to post
Share on other sites

Thanks,

gmer keeps restarting during scans..

SYSCLEAN:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 14:26:47, Auto-clean mode specified.

2008-09-01, 14:26:48, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 14:26:48, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 14:27:30, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 14:27:30, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:26:52

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Mon Sep 01 2008 14:27:25

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-01, 14:27:30, Running scanner "C:\sysclean\VSCANTM.BIN"...

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 16:44:20, Auto-clean mode specified.

2008-09-01, 16:44:20, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 16:44:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 17:09:50, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 17:09:50, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:47:49

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->reboot delete file("C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll","","") success

-->add folder("C:\sysclean\TSC_Temp","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->add file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\RunOnce","TSC") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

Complete time : Mon Sep 01 2008 14:47:55

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:48:54

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif

Complete time : Mon Sep 01 2008 14:48:59

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:49:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif

Complete time : Mon Sep 01 2008 14:49:35

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:53:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif

Complete time : Mon Sep 01 2008 14:53:39

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:54:43

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif

Complete time : Mon Sep 01 2008 14:54:48

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:55:48

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif

Complete time : Mon Sep 01 2008 14:55:53

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:17

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif

Complete time : Mon Sep 01 2008 14:56:22

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.CHS,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif

Complete time : Mon Sep 01 2008 14:56:33

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:57

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif

Complete time : Mon Sep 01 2008 14:57:01

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 16:44:37

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

PE_CORELINK.C[virus found]

-->reboot delete file("C:\WINDOWS\linkinfo.dll","","") success

Complete time : Mon Sep 01 2008 16:45:21

Execute pattern count(3021), Virus found count(1), Virus clean count(1), Clean failed count(0)

2008-09-01, 17:09:50, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:29, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-01, 21:06:29, VSCANTM Log:

2008-09-01, 21:06:30, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-01, 21:06:30, Files Clean:

2008-09-01, 21:06:30, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

2008-09-01, 21:06:33, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:34, Scanner "C:\sysclean\VSCANTM.BIN" could not be executed: Insufficient system resources exist to complete the requested service.

2008-09-01, 21:06:34, Running SSAPI scanner ""...

2008-09-01, 21:06:34, Scanner "C:\sysclean\SSAPIPTN.DA5" could not be executed: Insufficient system resources exist to complete the requested service.

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:30:39 PM, on 9/1/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\dllcache\qxchost.exe

C:\WINDOWS\System32\nservice.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\system32\NMBgMonitor.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

c:\g3g6r8w3c2f7.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\NMBgMonitor.exe

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [NMBgMonitor.exe] C:\WINDOWS\system32\NMBgMonitor.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: qxfel.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll

O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\tzzhuiox.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Microsoft Agent - Unknown owner - C:\WINDOWS\System32\dllcache\qxchost.exe

O23 - Service: nservice - Unknown owner - C:\WINDOWS\System32\nservice.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7966 bytes

Share this post


Link to post
Share on other sites

Oi.....

I will need a bit of time to process all of that information. However, sadly I can see that you have become more infected now than you were, once again....

Is somebody using this computer while we are trying to clean it or? Also, do you have nero installed?

Share this post


Link to post
Share on other sites
Thanks,

gmer keeps restarting during scans..

SYSCLEAN:

Okay, judging by the logs, Sysclean had trouble doing everything. I'd like for you to reboot into safe mode and run it from there. Then allow the machine to reboot normally, run mbam, update it, and scan your machine, allow mbam to remove anything it finds, and reboot normally again. Post a fresh hijackthis log and sysclean logs afterwards.

Share this post


Link to post
Share on other sites

Raid, I think we just about got it my friend, I dont see that g3gwhatevere.exe file anymore

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:43:10 PM, on 9/2/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing)

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll

O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: polensqs.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll

O21 - SSODL: twainyy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\twainyy.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7543 bytes

SYSCLEAN:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 14:26:47, Auto-clean mode specified.

2008-09-01, 14:26:48, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 14:26:48, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 14:27:30, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 14:27:30, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:26:52

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Mon Sep 01 2008 14:27:25

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-01, 14:27:30, Running scanner "C:\sysclean\VSCANTM.BIN"...

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 16:44:20, Auto-clean mode specified.

2008-09-01, 16:44:20, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 16:44:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 17:09:50, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 17:09:50, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:47:49

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->reboot delete file("C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll","","") success

-->add folder("C:\sysclean\TSC_Temp","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->add file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\RunOnce","TSC") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

Complete time : Mon Sep 01 2008 14:47:55

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:48:54

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif

Complete time : Mon Sep 01 2008 14:48:59

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:49:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif

Complete time : Mon Sep 01 2008 14:49:35

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:53:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif

Complete time : Mon Sep 01 2008 14:53:39

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:54:43

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif

Complete time : Mon Sep 01 2008 14:54:48

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:55:48

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif

Complete time : Mon Sep 01 2008 14:55:53

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:17

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif

Complete time : Mon Sep 01 2008 14:56:22

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.CHS,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif

Complete time : Mon Sep 01 2008 14:56:33

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:57

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif

Complete time : Mon Sep 01 2008 14:57:01

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 16:44:37

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

PE_CORELINK.C[virus found]

-->reboot delete file("C:\WINDOWS\linkinfo.dll","","") success

Complete time : Mon Sep 01 2008 16:45:21

Execute pattern count(3021), Virus found count(1), Virus clean count(1), Clean failed count(0)

2008-09-01, 17:09:50, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:29, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-01, 21:06:29, VSCANTM Log:

2008-09-01, 21:06:30, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-01, 21:06:30, Files Clean:

2008-09-01, 21:06:30, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

2008-09-01, 21:06:33, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:34, Scanner "C:\sysclean\VSCANTM.BIN" could not be executed: Insufficient system resources exist to complete the requested service.

2008-09-01, 21:06:34, Running SSAPI scanner ""...

2008-09-01, 21:06:34, Scanner "C:\sysclean\SSAPIPTN.DA5" could not be executed: Insufficient system resources exist to complete the requested service.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-02, 20:27:26, Auto-clean mode specified.

2008-09-02, 20:27:26, Failed to initialize Rootkit Driver.

2008-09-02, 20:27:26, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-02, 20:29:59, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-02, 20:29:59, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Tue Sep 02 2008 20:27:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Tue Sep 02 2008 20:29:00

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-02, 20:29:59, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:02:35, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:02:35, VSCANTM Log:

2008-09-02, 22:02:35, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\1[1].exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\drivers\services.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ttx.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\y2n4t2j8u6m9.exe [WORM_SPYBOT.AOD]

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Files Clean:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

2008-09-02, 22:02:35, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:16:01, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:16:01, VSCANTM Log:

2008-09-02, 22:16:01, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 22:02:35

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.513

D:\cmdcons\autochk.exe [PE_CORELINK.C-1]

D:\cmdcons\autofmt.exe [PE_CORELINK.C-1]

D:\cmdcons\system32\smss.exe [PE_CORELINK.C-1]

D:\Info.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\attrib.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autochk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autofmt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Bootini.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\chkdsk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\clipsrv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd2.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DblRes.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\diskpart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\dmadmin.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DskPart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Eject.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqndiag.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnlogr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnloop.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\expand.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\factory.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\ipconfig.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LABEL.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\locator.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LogViewer.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\lsass.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net1.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\netcfg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\notepad.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntsd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcad32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcconf.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\pentnt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ping.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\reg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regedit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regsvr32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\RESTORE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\rsvp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\rundll32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\services.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\setup.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\smss.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\spoolsv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\start.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\svchost.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\taskmgr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\userinit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\winlogon.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\AUTOCHK.EXE [PE_CORELINK.C-1]

D:\i386\AUTOFMT.EXE [PE_CORELINK.C-1]

D:\i386\DIST\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\Drv\APP00041\App00041.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP03902\App03902.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP05436\App05436.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP06334\App06334.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP11942\App11942.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP16827\App16827.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP26500\App26500.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP32391\App32391.exe [PE_CORELINK.C-1]

D:\i386\EXPAND.EXE [PE_CORELINK.C-1]

D:\i386\NETSETUP.EXE [PE_CORELINK.C-1]

D:\i386\NTSD.EXE [PE_CORELINK.C-1]

D:\i386\REGEDIT.EXE [PE_CORELINK.C-1]

D:\i386\SYSPARSE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Bootini.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DblRes.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DskPart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Eject.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LABEL.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LogViewer.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RESTORE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\attrib.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autochk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autofmt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\chkdsk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\clipsrv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd2.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\diskpart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\dmadmin.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqndiag.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnlogr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnloop.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\expand.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\factory.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ipconfig.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\locator.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\lsass.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net1.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\netcfg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\notepad.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntsd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcad32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcconf.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\pentnt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ping.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\reg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regedit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regsvr32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rsvp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rundll32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\services.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\setup.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\spoolsv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\start.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\svchost.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\taskmgr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\userinit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\winlogon.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\TELNET.EXE [PE_CORELINK.C-1]

D:\i386\USETUP.EXE [PE_CORELINK.C-1]

D:\i386\WINNT32.EXE [PE_CORELINK.C-1]

D:\i386\apps\APP00153\App00153.exe [PE_CORELINK.C-1]

D:\i386\apps\APP00292\App00292.exe [PE_CORELINK.C-1]

D:\i386\apps\APP12382\App12382.exe [PE_CORELINK.C-1]

D:\i386\apps\APP17421\App17421.exe [PE_CORELINK.C-1]

D:\i386\apps\APP18716\App18716.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW3MSN\msnfix\msnfix.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW4ATI\Video_ATI_7_83_0_0_ALL_WW_XP_5281-01.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\PCIFINDX.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\devcon.exe [PE_CORELINK.C-1]

9183 files have been read.

9183 files have been checked.

9183 files have been scanned.

32818 files have been scanned. (including files in archived)

136 files containing viruses.

Found 136 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:16:00 13 minutes 22 seconds (802.28 seconds) has elapsed.(87.366 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:16:01, Running SSAPI scanner ""...

2008-09-02, 22:53:40, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.83

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/02/2008 22:16:06

SSAPI requires the system to reboot.

Detected Items:

[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:administrator@ad.yieldmanager.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ad.yieldmanager[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:administrator@adopt.specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adopt.specificclick[2].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\adrevolver.com,Cookie:administrator@adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:administrator@ads.pointroll.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ads.pointroll[1].txt

[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:administrator@advertising.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@advertising[2].txt

[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:administrator@apmebf.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@apmebf[1].txt

[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:administrator@atdmt.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@atdmt[2].txt

[CLEAN SUCCESS][Cookie_BlueStreak] Internet Explorer Cache\bluestreak.com,Cookie:administrator@bluestreak.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@bluestreak[1].txt

[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:administrator@com.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@com[1].txt

[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:administrator@doubleclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@doubleclick[1].txt

[CLEAN SUCCESS][Cookie_FastClick] Internet Explorer Cache\fastclick.net,Cookie:administrator@fastclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@fastclick[1].txt

[CLEAN SUCCESS][Cookie_Hitbox] Internet Explorer Cache\hitbox.com,Cookie:administrator@hitbox.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@hitbox[2].txt

[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:administrator@insightexpressai.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@insightexpressai[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@media.adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:administrator@questionmarket.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@questionmarket[2].txt

[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:administrator@revsci.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@revsci[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:administrator@specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@specificclick[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:administrator@trafficmp.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@trafficmp[1].txt

[CLEAN SUCCESS][HackingTools_ProcKill] C:\hp\bin\Terminator.exe,C:\hp\bin\TERMIN~1.EXE,4703

[CLEAN SUCCESS][Adware_CometCursor] C:\Program Files\CompuServe 7.0\cstray.exe,C:\PROGRA~1\COMPUS~1.0\cstray.exe,10

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\,C:\PROGRA~1\Freeze.com,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.ico,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.url,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\INSTALL.LOG,C:\PROGRA~1\Freeze.com\DESKTO~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.exe,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.ini,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\DESKTO~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\,C:\PROGRA~1\Freeze.com\DESKTO~1,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~2\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~2\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~2\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~2\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~2\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~2\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~2\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~2,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~1\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~1\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~1,4701

Detected: 50 items.

Cleaned Success: 47 items.

Clean Failed: 3 items.

Spyware Scan Ended: 09/02/2008 22:53:39

Scan Complete. Time=2257.733887.

Share this post


Link to post
Share on other sites

Good grief...

Who is using this computer while we are trying to clean it up? Please ask them to stop doing so! And you didn't tell me if you had nero installed or not... Hmm...

Okay, boot the computer into safe mode, and start hijack this, check the following and fix them:

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing)

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll

O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: polensqs.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\polensqs.dll

O21 - SSODL: twainyy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\twainyy.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll (file missing)

Next, I want you to reboot the computer normally and run mbam, update it and please scan again. After doing so, I require fresh hijackthis and mbam logs. Be sure you reboot if mbam asks you to do so.

Share this post


Link to post
Share on other sites

Raid, the end of my probation cant come quick enough. Sad to say the person(mom's husband) using this computer while Im at school probably wont get the message to stay off without violence(we dont talk regardless). He did a system restore today while I was at school and now that g3gwhatevere.exe file is back as well as the task manager isn't working. Shall I the scan/cleanup over? If this persists I'll stop seeking your help as I dont want to waste your time.

Sorry, I just found Nero, I though I deleted that months ago. Deleting it is in order?

Share this post


Link to post
Share on other sites
Raid, the end of my probation cant come quick enough. Sad to say the person(mom's husband) using this computer while Im at school probably wont get the message to stay off without violence(we dont talk regardless). He did a system restore today while I was at school and now that g3gwhatevere.exe file is back as well as the task manager isn't working. Shall I the scan/cleanup over? If this persists I'll stop seeking your help as I dont want to waste your time.

Sorry, I just found Nero, I though I deleted that months ago. Deleting it is in order?

Ahh, I'm sorry man. But he's essentially undone everything we've managed to scrape off of the machine. If you have personal data or something, I'd be glad to help you archive it away from the infested machine If you can get them to leave it be, we'll go thru this again... But if you don't think they will comply, Then it's a waste of our time to continue. Sadly, as long as they remain infected, the problems will get worse and I suspect the computer will soon become unusable.

Share this post


Link to post
Share on other sites

Thanks,

I'd like to try again Saturday, that way I can monitor the computer all day as well as Sunday. Is that okay with you?

Also, should I delete Nero?

Share this post


Link to post
Share on other sites

Thats fine with me cmoney. And no, Nero is a good application. Unless you don't use it, no reason to remove it.

I will look forward to this this weekend then.

Share this post


Link to post
Share on other sites

Alright Raid, here we go again

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:57:55 PM, on 9/5/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: qxfel.dll mcromv.dll cupops.dll thermaltinc.dll cmbdaf.dll lensch.dll johandy.dll aotoppt.dll catower.dll wllame.dll zfashl.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll

O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: polensqs.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: haqyqjmv.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: putifwnb.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7767 bytes

SYSCLEAN:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 14:26:47, Auto-clean mode specified.

2008-09-01, 14:26:48, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 14:26:48, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 14:27:30, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 14:27:30, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:26:52

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Mon Sep 01 2008 14:27:25

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-01, 14:27:30, Running scanner "C:\sysclean\VSCANTM.BIN"...

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 16:44:20, Auto-clean mode specified.

2008-09-01, 16:44:20, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 16:44:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 17:09:50, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 17:09:50, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:47:49

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->reboot delete file("C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll","","") success

-->add folder("C:\sysclean\TSC_Temp","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->add file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\RunOnce","TSC") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

Complete time : Mon Sep 01 2008 14:47:55

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:48:54

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif

Complete time : Mon Sep 01 2008 14:48:59

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:49:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif

Complete time : Mon Sep 01 2008 14:49:35

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:53:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif

Complete time : Mon Sep 01 2008 14:53:39

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:54:43

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif

Complete time : Mon Sep 01 2008 14:54:48

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:55:48

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif

Complete time : Mon Sep 01 2008 14:55:53

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:17

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif

Complete time : Mon Sep 01 2008 14:56:22

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.CHS,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif

Complete time : Mon Sep 01 2008 14:56:33

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:57

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif

Complete time : Mon Sep 01 2008 14:57:01

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 16:44:37

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

PE_CORELINK.C[virus found]

-->reboot delete file("C:\WINDOWS\linkinfo.dll","","") success

Complete time : Mon Sep 01 2008 16:45:21

Execute pattern count(3021), Virus found count(1), Virus clean count(1), Clean failed count(0)

2008-09-01, 17:09:50, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:29, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-01, 21:06:29, VSCANTM Log:

2008-09-01, 21:06:30, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-01, 21:06:30, Files Clean:

2008-09-01, 21:06:30, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

2008-09-01, 21:06:33, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:34, Scanner "C:\sysclean\VSCANTM.BIN" could not be executed: Insufficient system resources exist to complete the requested service.

2008-09-01, 21:06:34, Running SSAPI scanner ""...

2008-09-01, 21:06:34, Scanner "C:\sysclean\SSAPIPTN.DA5" could not be executed: Insufficient system resources exist to complete the requested service.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-02, 20:27:26, Auto-clean mode specified.

2008-09-02, 20:27:26, Failed to initialize Rootkit Driver.

2008-09-02, 20:27:26, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-02, 20:29:59, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-02, 20:29:59, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Tue Sep 02 2008 20:27:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Tue Sep 02 2008 20:29:00

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-02, 20:29:59, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:02:35, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:02:35, VSCANTM Log:

2008-09-02, 22:02:35, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\1[1].exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\drivers\services.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ttx.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\y2n4t2j8u6m9.exe [WORM_SPYBOT.AOD]

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Files Clean:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

2008-09-02, 22:02:35, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:16:01, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:16:01, VSCANTM Log:

2008-09-02, 22:16:01, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 22:02:35

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.513

D:\cmdcons\autochk.exe [PE_CORELINK.C-1]

D:\cmdcons\autofmt.exe [PE_CORELINK.C-1]

D:\cmdcons\system32\smss.exe [PE_CORELINK.C-1]

D:\Info.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\attrib.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autochk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autofmt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Bootini.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\chkdsk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\clipsrv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd2.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DblRes.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\diskpart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\dmadmin.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DskPart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Eject.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqndiag.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnlogr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnloop.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\expand.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\factory.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\ipconfig.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LABEL.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\locator.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LogViewer.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\lsass.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net1.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\netcfg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\notepad.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntsd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcad32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcconf.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\pentnt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ping.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\reg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regedit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regsvr32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\RESTORE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\rsvp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\rundll32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\services.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\setup.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\smss.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\spoolsv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\start.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\svchost.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\taskmgr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\userinit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\winlogon.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\AUTOCHK.EXE [PE_CORELINK.C-1]

D:\i386\AUTOFMT.EXE [PE_CORELINK.C-1]

D:\i386\DIST\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\Drv\APP00041\App00041.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP03902\App03902.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP05436\App05436.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP06334\App06334.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP11942\App11942.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP16827\App16827.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP26500\App26500.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP32391\App32391.exe [PE_CORELINK.C-1]

D:\i386\EXPAND.EXE [PE_CORELINK.C-1]

D:\i386\NETSETUP.EXE [PE_CORELINK.C-1]

D:\i386\NTSD.EXE [PE_CORELINK.C-1]

D:\i386\REGEDIT.EXE [PE_CORELINK.C-1]

D:\i386\SYSPARSE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Bootini.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DblRes.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DskPart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Eject.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LABEL.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LogViewer.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RESTORE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\attrib.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autochk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autofmt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\chkdsk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\clipsrv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd2.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\diskpart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\dmadmin.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqndiag.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnlogr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnloop.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\expand.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\factory.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ipconfig.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\locator.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\lsass.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net1.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\netcfg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\notepad.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntsd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcad32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcconf.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\pentnt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ping.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\reg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regedit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regsvr32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rsvp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rundll32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\services.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\setup.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\spoolsv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\start.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\svchost.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\taskmgr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\userinit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\winlogon.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\TELNET.EXE [PE_CORELINK.C-1]

D:\i386\USETUP.EXE [PE_CORELINK.C-1]

D:\i386\WINNT32.EXE [PE_CORELINK.C-1]

D:\i386\apps\APP00153\App00153.exe [PE_CORELINK.C-1]

D:\i386\apps\APP00292\App00292.exe [PE_CORELINK.C-1]

D:\i386\apps\APP12382\App12382.exe [PE_CORELINK.C-1]

D:\i386\apps\APP17421\App17421.exe [PE_CORELINK.C-1]

D:\i386\apps\APP18716\App18716.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW3MSN\msnfix\msnfix.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW4ATI\Video_ATI_7_83_0_0_ALL_WW_XP_5281-01.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\PCIFINDX.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\devcon.exe [PE_CORELINK.C-1]

9183 files have been read.

9183 files have been checked.

9183 files have been scanned.

32818 files have been scanned. (including files in archived)

136 files containing viruses.

Found 136 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:16:00 13 minutes 22 seconds (802.28 seconds) has elapsed.(87.366 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:16:01, Running SSAPI scanner ""...

2008-09-02, 22:53:40, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.83

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/02/2008 22:16:06

SSAPI requires the system to reboot.

Detected Items:

[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:administrator@ad.yieldmanager.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ad.yieldmanager[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:administrator@adopt.specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adopt.specificclick[2].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\adrevolver.com,Cookie:administrator@adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:administrator@ads.pointroll.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ads.pointroll[1].txt

[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:administrator@advertising.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@advertising[2].txt

[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:administrator@apmebf.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@apmebf[1].txt

[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:administrator@atdmt.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@atdmt[2].txt

[CLEAN SUCCESS][Cookie_BlueStreak] Internet Explorer Cache\bluestreak.com,Cookie:administrator@bluestreak.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@bluestreak[1].txt

[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:administrator@com.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@com[1].txt

[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:administrator@doubleclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@doubleclick[1].txt

[CLEAN SUCCESS][Cookie_FastClick] Internet Explorer Cache\fastclick.net,Cookie:administrator@fastclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@fastclick[1].txt

[CLEAN SUCCESS][Cookie_Hitbox] Internet Explorer Cache\hitbox.com,Cookie:administrator@hitbox.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@hitbox[2].txt

[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:administrator@insightexpressai.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@insightexpressai[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@media.adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:administrator@questionmarket.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@questionmarket[2].txt

[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:administrator@revsci.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@revsci[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:administrator@specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@specificclick[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:administrator@trafficmp.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@trafficmp[1].txt

[CLEAN SUCCESS][HackingTools_ProcKill] C:\hp\bin\Terminator.exe,C:\hp\bin\TERMIN~1.EXE,4703

[CLEAN SUCCESS][Adware_CometCursor] C:\Program Files\CompuServe 7.0\cstray.exe,C:\PROGRA~1\COMPUS~1.0\cstray.exe,10

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\,C:\PROGRA~1\Freeze.com,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.ico,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.url,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\INSTALL.LOG,C:\PROGRA~1\Freeze.com\DESKTO~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.exe,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.ini,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\DESKTO~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\,C:\PROGRA~1\Freeze.com\DESKTO~1,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~2\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~2\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~2\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~2\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~2\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~2\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~2\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~2,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~1\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~1\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~1,4701

Detected: 50 items.

Cleaned Success: 47 items.

Clean Failed: 3 items.

Spyware Scan Ended: 09/02/2008 22:53:39

Scan Complete. Time=2257.733887.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-03, 20:10:40, Auto-clean mode specified.

2008-09-03, 20:10:40, Failed to initialize Rootkit Driver.

2008-09-03, 20:10:40, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-03, 20:12:36, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-03, 20:12:36, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Wed Sep 03 2008 20:10:42

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Wed Sep 03 2008 20:12:29

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-03, 20:12:36, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-03, 20:47:31, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-03, 20:47:31, VSCANTM Log:

2008-09-03, 20:47:31, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/3/2008 20:12:37

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\17[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\32[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\13[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\16[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\b[1].gif [TROJ_AGENT.AKIK]

2008-09-03, 20:47:31, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-03, 20:47:32, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-03, 20:47:32, VSCANTM Log:

2008-09-03, 20:47:32, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/3/2008 20:47:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

2008-09-03, 20:47:32, Running SSAPI scanner ""...

2008-09-03, 20:47:35, SSAPI Log:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-05, 16:36:19, Auto-clean mode specified.

2008-09-05, 16:36:20, Failed to initialize Rootkit Driver.

2008-09-05, 16:36:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-05, 16:38:22, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-05, 16:38:22, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Fri Sep 05 2008 16:36:21

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Fri Sep 05 2008 16:38:17

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-05, 16:38:22, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-05, 19:10:54, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-05, 19:10:54, VSCANTM Log:

2008-09-05, 19:10:54, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/5/2008 16:38:24

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5NXMFIPH\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HN1SQ6O1\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\update[2].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\drivers\services.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

90768 files have been read.

90768 files have been checked.

90744 files have been scanned.

254056 files have been scanned. (including files in archived)

23 files containing viruses.

Found 23 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/5/2008 19:10:54 2 hours 32 minutes 15 seconds (9135.20 seconds) has elapsed.(100.643 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-05, 19:10:54, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-05, 19:22:17, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-05, 19:22:17, VSCANTM Log:

2008-09-05, 19:22:17, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/5/2008 19:10:54

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.513

9078 files have been read.

9078 files have been checked.

9077 files have been scanned.

32712 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/5/2008 19:22:17 11 minutes 14 seconds (674.02 seconds) has elapsed.(74.247 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-05, 19:22:17, Running SSAPI scanner ""...

2008-09-05, 20:23:37, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.83

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/05/2008 19:22:28

SSAPI requires the system to reboot.

Detected Items:

Detected: 6 items.

Cleaned Success: 3 items.

Clean Failed: 3 items.

Spyware Scan Ended: 09/05/2008 20:23:37

Scan Complete. Time=3679.089111.

BTW, task manager is working and the g3gwhatevere.exe file is gone, though there is a new app in C: "p5w5z8y3c7t3"

Share this post


Link to post
Share on other sites
Alright Raid, here we go again

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O20 - AppInit_DLLs: qxfel.dll mcromv.dll cupops.dll thermaltinc.dll cmbdaf.dll lensch.dll johandy.dll aotoppt.dll catower.dll wllame.dll zfashl.dll

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: imgutilhx2.dll - {DA56B183-A731-402b-9235-2CB8803E212D} - C:\WINDOWS\System32\imgutilhx2.dll

O21 - SSODL: tzzhuiox.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: polensqs.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: haqyqjmv.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: putifwnb.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\putifwnb.dll

First, Make sure you are in safe mode with administrator rights.

I want you to manually move each file listed above to a folder called c:\junk, after doing so, zip the folder with a password, "infected" without the quotes will do fine. When you are rebooted into normal mode shortly, I want you to send the zip file you created to uploads.malwarebytes.org. Please name the zipfile cmoneysamples1.zip

After moving all of the files listed, start hijackthis and remove the entries above.

BTW, task manager is working and the g3gwhatevere.exe file is gone, though there is a new app in C: "p5w5z8y3c7t3"

Please include that file in the zip, and move it ;)

After restarting in normal mode, update mbam and scan your machine with it. I'd also like for you to update the sysclean datafiles and scan your machine with it in safe mode.

When you have completed all steps, post updated logs from mbam, sysclean and hijackthis please.

Share this post


Link to post
Share on other sites

Thanks Raid, I will do just that,

But how do I locate these to move them:

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O21 - SSODL: msnmsg - {DA191DE0-AA86-4ED0-4B87-293D48B2AE99} - (no file)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.