Jump to content
Reagan72

cant use task manager

Recommended Posts

also, two new apps, "ePv" and "EUF" have been created in C:, and a new file on my desktop "delself" has been created. Should I include those in the zipped folder too?

Share this post


Link to post
Share on other sites
Thanks Raid, I will do just that,

But how do I locate these to move them:

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

With hijackthis. :unsure: You select scan and fix check those and hit fix.

Share this post


Link to post
Share on other sites

adsndzt.dll, certmgrkd.dll, xolehlpjh.dll, tscfgwmijxsj.dll, slbiopfs2.dll, inetresdxc.dll, bootvidgj.dll, cliconfgzx.dll are over 2MB. All the other files though, I uploaded them to that page.

Share this post


Link to post
Share on other sites
adsndzt.dll, certmgrkd.dll, xolehlpjh.dll, tscfgwmijxsj.dll, slbiopfs2.dll, inetresdxc.dll, bootvidgj.dll, cliconfgzx.dll are over 2MB. All the other files though, I uploaded them to that page.

Thanks cmoney, I'll check them out Monday afternoon. In the meantime, have hijackthis remove what it can, and scan your machine with updated sysclean in safe mode, and mbam in normal mode. Post logs when completed. Be sure to allow mbam to remove whatever it sees fit, and restart.

Post a fresh hijackthis log after doing all of that please.

Important! MBAM v1.27 has been released and it contains some more robust code for handling some of these newer more stubborn malware objects. Please update to it before you do anything else. :unsure: Thanks!

Share this post


Link to post
Share on other sites

Thanks,

SYSCLEAN:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 14:26:47, Auto-clean mode specified.

2008-09-01, 14:26:48, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 14:26:48, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 14:27:30, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 14:27:30, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:26:52

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Mon Sep 01 2008 14:27:25

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-01, 14:27:30, Running scanner "C:\sysclean\VSCANTM.BIN"...

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-01, 16:44:20, Auto-clean mode specified.

2008-09-01, 16:44:20, Initialized Rootkit Driver version 1.6.0.1059.

2008-09-01, 16:44:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-01, 17:09:50, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-01, 17:09:50, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:47:49

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->reboot delete file("C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll","","") success

-->add folder("C:\sysclean\TSC_Temp","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->add file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->modify registry data("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\RunOnce","TSC") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll

Complete time : Mon Sep 01 2008 14:47:55

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:48:54

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif

Complete time : Mon Sep 01 2008 14:48:59

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:49:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif

Complete time : Mon Sep 01 2008 14:49:35

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:53:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_GAMETHIE.SE,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif

Complete time : Mon Sep 01 2008 14:53:39

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:54:43

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_MURLO.BA,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif

Complete time : Mon Sep 01 2008 14:54:48

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:55:48

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif

Complete time : Mon Sep 01 2008 14:55:53

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:17

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.PRM,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif

Complete time : Mon Sep 01 2008 14:56:22

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TSPY_ONLINEG.CHS,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif

Complete time : Mon Sep 01 2008 14:56:33

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 14:56:57

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

TSC_GENCLEAN[virus found]

-->delete file("C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif","","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.exe","","") success

-->copy file("C:\sysclean\tsc.bin","C:\sysclean\TSC_Temp\tsc.exe","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ini","","") success

-->copy file("C:\sysclean\tsc.ini","C:\sysclean\TSC_Temp\tsc.ini","") success

-->delete file("C:\sysclean\TSC_Temp\tsc.ptn","","") success

-->copy file("C:\sysclean\tsc.ptn","C:\sysclean\TSC_Temp\tsc.ptn","") success

-->modify file("C:\sysclean\TSC_Temp\DEADLINKS.INI","","") success

-->add file("C:\sysclean\MARK_TEMP.INI","","") success

-->modify file("C:\sysclean\MARK_TEMP.INI","","") success

-->delete file("C:\sysclean\MARK_TEMP.INI","","") success

GenericClean::Pattern:TSC_GENCLEAN,Virus Name:TROJ_DLOADER.YON,Virus File Path:C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif

Complete time : Mon Sep 01 2008 14:57:01

Execute pattern count(1), Virus found count(1), Virus clean count(1), Clean failed count(0)

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 01 2008 16:44:37

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

PE_CORELINK.C[virus found]

-->reboot delete file("C:\WINDOWS\linkinfo.dll","","") success

Complete time : Mon Sep 01 2008 16:45:21

Execute pattern count(3021), Virus found count(1), Virus clean count(1), Clean failed count(0)

2008-09-01, 17:09:50, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:29, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-01, 21:06:29, VSCANTM Log:

2008-09-01, 21:06:30, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-01, 21:06:30, Files Clean:

2008-09-01, 21:06:30, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

2008-09-01, 21:06:33, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-01, 21:06:34, Scanner "C:\sysclean\VSCANTM.BIN" could not be executed: Insufficient system resources exist to complete the requested service.

2008-09-01, 21:06:34, Running SSAPI scanner ""...

2008-09-01, 21:06:34, Scanner "C:\sysclean\SSAPIPTN.DA5" could not be executed: Insufficient system resources exist to complete the requested service.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-02, 20:27:26, Auto-clean mode specified.

2008-09-02, 20:27:26, Failed to initialize Rootkit Driver.

2008-09-02, 20:27:26, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-02, 20:29:59, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-02, 20:29:59, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Tue Sep 02 2008 20:27:27

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Tue Sep 02 2008 20:29:00

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-02, 20:29:59, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:02:35, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:02:35, VSCANTM Log:

2008-09-02, 22:02:35, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NY9TMREB\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QL2NMXYR\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\07B4R15C\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZT8RQ9EU\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [TSPY_ONLINEG.SKS]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\agk.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\anillao.dll [TSPY_ONLINEG.PMY]

C:\WINDOWS\system32\aoe.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\bmn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\bwo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\candayl.dll [TROJ_GAMETHI.AAZ]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\ckthers.dll [TROJ_GAMETHI.ABA]

C:\WINDOWS\system32\cmbdafk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\comboaus.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\1[1].exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[2].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[3].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[4].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[5].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\cxpops.dll [TROJ_GAMETHI.ABB]

C:\WINDOWS\system32\d [bAT_FTPER.C]

C:\WINDOWS\system32\dde.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\drivers\services.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eka.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\eskisl.dll [TSPY_ONLINEG.SOA]

C:\WINDOWS\system32\fid.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\gdo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\gxs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\iik.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\iwy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jhn.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\jir.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\jjk.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\kpy.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lenschk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [TSPY_ONLINEG.SEE]

C:\WINDOWS\system32\micsus.dll [TSPY_ONLINEG.PNW]

C:\WINDOWS\system32\mmo.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mny.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\mssetd.dll [Possible_OLGM-15]

C:\WINDOWS\system32\NMBgMonitor.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\nservice.exe [WORM_SDBOT.CIX]

C:\WINDOWS\system32\nvipat.dll [TSPY_ONLINEG.SPS]

C:\WINDOWS\system32\ohs.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\pcibexl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\pewire.dll [TSPY_ONLINEG.TFG]

C:\WINDOWS\system32\qkc.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\qzi.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\rdl.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ringtte.dll [TSPY_ONLINEG.VHF]

C:\WINDOWS\system32\run.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\rvq.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\sda.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\seb.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\skf.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\system32\tlo.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\tqc.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ttx.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\uns.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\vtr.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\wws.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\xhm.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\xwl.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\yae.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\yiv.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\ytf.exe [WORM_SPYBOT.MCS]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

C:\y2n4t2j8u6m9.exe [WORM_SPYBOT.AOD]

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Files Clean:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

105734 files have been read.

105734 files have been checked.

101910 files have been scanned.

272772 files have been scanned. (including files in archived)

88 files containing viruses.

Found 88 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/1/2008 21:06:22 3 hours 56 minutes 24 seconds (14183.81 seconds) has elapsed.(134.146 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

90658 files have been read.

90658 files have been checked.

90626 files have been scanned.

253936 files have been scanned. (including files in archived)

102 files containing viruses.

Found 102 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:02:34 1 hour 32 minutes 33 seconds (5552.72 seconds) has elapsed.(61.249 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:02:35, Clean Fail:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 14:27:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR C:\*.* /P=C:\sysclean\lpt$vpn.513

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/1/2008 17:09:52

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 20:29:59

2008-09-02, 22:02:35, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-02, 22:16:01, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-02, 22:16:01, VSCANTM Log:

2008-09-02, 22:16:01, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/2/2008 22:02:35

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.513

D:\cmdcons\autochk.exe [PE_CORELINK.C-1]

D:\cmdcons\autofmt.exe [PE_CORELINK.C-1]

D:\cmdcons\system32\smss.exe [PE_CORELINK.C-1]

D:\Info.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\attrib.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autochk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\autofmt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Bootini.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\chkdsk.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\clipsrv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\cmd2.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DblRes.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\diskpart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\dmadmin.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\DskPart.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\Eject.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqndiag.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnlogr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\eqnloop.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\expand.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\factory.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\ipconfig.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LABEL.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\locator.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\LogViewer.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\lsass.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\net1.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\netcfg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\notepad.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ntsd.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcad32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\odbcconf.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\pentnt.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\ping.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\reg.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regedit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\regsvr32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\RESTORE.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\MiniNT\system32\rsvp.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\rundll32.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\services.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\setup.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\smss.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\spoolsv.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\start.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\svchost.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\taskmgr.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\userinit.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\winlogon.exe [PE_CORELINK.C-1]

D:\MiniNT\system32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\AUTOCHK.EXE [PE_CORELINK.C-1]

D:\i386\AUTOFMT.EXE [PE_CORELINK.C-1]

D:\i386\DIST\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\Drv\APP00041\App00041.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP03902\App03902.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP05436\App05436.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP06334\App06334.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP11942\App11942.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP16827\App16827.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP26500\App26500.exe [PE_CORELINK.C-1]

D:\i386\Drv\APP32391\App32391.exe [PE_CORELINK.C-1]

D:\i386\EXPAND.EXE [PE_CORELINK.C-1]

D:\i386\NETSETUP.EXE [PE_CORELINK.C-1]

D:\i386\NTSD.EXE [PE_CORELINK.C-1]

D:\i386\REGEDIT.EXE [PE_CORELINK.C-1]

D:\i386\SYSPARSE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Bootini.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DblRes.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\DskPart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\Eject.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\FATFMT32.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LABEL.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\LogViewer.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\PAGEFILE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RESTORE.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\RPONOFF.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\SMSS.EXE [PE_CORELINK.C-1]

D:\i386\SYSTEM32\attrib.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autochk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\autofmt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\chkdsk.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\clipsrv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\cmd2.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\diskpart.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\dmadmin.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqndiag.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnlogr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\eqnloop.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\expand.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\factory.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ipconfig.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\locator.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\lsass.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\net1.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\netcfg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\notepad.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntkrnlmp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ntsd.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcad32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\odbcconf.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\pentnt.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\ping.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\reg.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regedit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\regsvr32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rsvp.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\rundll32.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\services.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\setup.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\spoolsv.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\start.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\svchost.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\taskmgr.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\userinit.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\winlogon.exe [PE_CORELINK.C-1]

D:\i386\SYSTEM32\xcopy.exe [PE_CORELINK.C-1]

D:\i386\TELNET.EXE [PE_CORELINK.C-1]

D:\i386\USETUP.EXE [PE_CORELINK.C-1]

D:\i386\WINNT32.EXE [PE_CORELINK.C-1]

D:\i386\apps\APP00153\App00153.exe [PE_CORELINK.C-1]

D:\i386\apps\APP00292\App00292.exe [PE_CORELINK.C-1]

D:\i386\apps\APP12382\App12382.exe [PE_CORELINK.C-1]

D:\i386\apps\APP17421\App17421.exe [PE_CORELINK.C-1]

D:\i386\apps\APP18716\App18716.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW3MSN\msnfix\msnfix.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW4ATI\Video_ATI_7_83_0_0_ALL_WW_XP_5281-01.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\PCIFINDX.exe [PE_CORELINK.C-1]

D:\hp\patches\32WW5NVI\32ww5nvi\devcon.exe [PE_CORELINK.C-1]

9183 files have been read.

9183 files have been checked.

9183 files have been scanned.

32818 files have been scanned. (including files in archived)

136 files containing viruses.

Found 136 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/2/2008 22:16:00 13 minutes 22 seconds (802.28 seconds) has elapsed.(87.366 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-02, 22:16:01, Running SSAPI scanner ""...

2008-09-02, 22:53:40, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.83

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/02/2008 22:16:06

SSAPI requires the system to reboot.

Detected Items:

[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:administrator@ad.yieldmanager.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ad.yieldmanager[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:administrator@adopt.specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adopt.specificclick[2].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\adrevolver.com,Cookie:administrator@adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:administrator@ads.pointroll.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ads.pointroll[1].txt

[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:administrator@advertising.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@advertising[2].txt

[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:administrator@apmebf.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@apmebf[1].txt

[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:administrator@atdmt.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@atdmt[2].txt

[CLEAN SUCCESS][Cookie_BlueStreak] Internet Explorer Cache\bluestreak.com,Cookie:administrator@bluestreak.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@bluestreak[1].txt

[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:administrator@com.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@com[1].txt

[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:administrator@doubleclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@doubleclick[1].txt

[CLEAN SUCCESS][Cookie_FastClick] Internet Explorer Cache\fastclick.net,Cookie:administrator@fastclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@fastclick[1].txt

[CLEAN SUCCESS][Cookie_Hitbox] Internet Explorer Cache\hitbox.com,Cookie:administrator@hitbox.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@hitbox[2].txt

[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:administrator@insightexpressai.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@insightexpressai[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@media.adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:administrator@questionmarket.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@questionmarket[2].txt

[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:administrator@revsci.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@revsci[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:administrator@specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@specificclick[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:administrator@trafficmp.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@trafficmp[1].txt

[CLEAN SUCCESS][HackingTools_ProcKill] C:\hp\bin\Terminator.exe,C:\hp\bin\TERMIN~1.EXE,4703

[CLEAN SUCCESS][Adware_CometCursor] C:\Program Files\CompuServe 7.0\cstray.exe,C:\PROGRA~1\COMPUS~1.0\cstray.exe,10

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\,C:\PROGRA~1\Freeze.com,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.ico,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\freeze.url,C:\PROGRA~1\Freeze.com\DESKTO~1\freeze.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\INSTALL.LOG,C:\PROGRA~1\Freeze.com\DESKTO~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.exe,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\undata.ini,C:\PROGRA~1\Freeze.com\DESKTO~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\DESKTO~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Desktop Themes\,C:\PROGRA~1\Freeze.com\DESKTO~1,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~2\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~2\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~2\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~2\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~2\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~2\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~2\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Marine Aquarium Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~2,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\freeze.ico,C:\PROGRA~1\Freeze.com\LIVING~1\freeze.ico,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\INSTALL.LOG,C:\PROGRA~1\Freeze.com\LIVING~1\INSTALL.LOG,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\license.txt,C:\PROGRA~1\Freeze.com\LIVING~1\license.txt,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.exe,C:\PROGRA~1\Freeze.com\LIVING~1\undata.exe,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\undata.ini,C:\PROGRA~1\Freeze.com\LIVING~1\undata.ini,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\UNINSTAL.EXE,C:\PROGRA~1\Freeze.com\LIVING~1\UNINSTAL.EXE,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\upgrade.url,C:\PROGRA~1\Freeze.com\LIVING~1\upgrade.url,4701

[CLEAN SUCCESS][Downloader_Freeze] C:\Program Files\Freeze.com\Living Waterfalls 2 Desktop Theme\,C:\PROGRA~1\Freeze.com\LIVING~1,4701

Detected: 50 items.

Cleaned Success: 47 items.

Clean Failed: 3 items.

Spyware Scan Ended: 09/02/2008 22:53:39

Scan Complete. Time=2257.733887.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-03, 20:10:40, Auto-clean mode specified.

2008-09-03, 20:10:40, Failed to initialize Rootkit Driver.

2008-09-03, 20:10:40, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-03, 20:12:36, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-03, 20:12:36, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Wed Sep 03 2008 20:10:42

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Wed Sep 03 2008 20:12:29

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-03, 20:12:36, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-03, 20:47:31, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-03, 20:47:31, VSCANTM Log:

2008-09-03, 20:47:31, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/3/2008 20:12:37

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\17[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\32[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\49ING163\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\13[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\S5YNOXMB\update[1].gif [TROJ_DLOADER.YON]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\16[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\6[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SPYNS16J\b[1].gif [TROJ_AGENT.AKIK]

2008-09-03, 20:47:31, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-03, 20:47:32, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-03, 20:47:32, VSCANTM Log:

2008-09-03, 20:47:32, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/3/2008 20:47:31

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

2008-09-03, 20:47:32, Running SSAPI scanner ""...

2008-09-03, 20:47:35, SSAPI Log:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-05, 16:36:19, Auto-clean mode specified.

2008-09-05, 16:36:20, Failed to initialize Rootkit Driver.

2008-09-05, 16:36:20, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-05, 16:38:22, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-05, 16:38:22, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Fri Sep 05 2008 16:36:21

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Fri Sep 05 2008 16:38:17

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-05, 16:38:22, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-05, 19:10:54, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-05, 19:10:54, VSCANTM Log:

2008-09-05, 19:10:54, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/5/2008 16:38:24

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.513

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5NXMFIPH\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\HN1SQ6O1\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0X2J4XUV\update[2].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7VE2ZLSX\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\drivers\services.exe [WORM_SPYBOT.AOD]

C:\WINDOWS\system32\i [bAT_FTPER.C]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

90768 files have been read.

90768 files have been checked.

90744 files have been scanned.

254056 files have been scanned. (including files in archived)

23 files containing viruses.

Found 23 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/5/2008 19:10:54 2 hours 32 minutes 15 seconds (9135.20 seconds) has elapsed.(100.643 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-05, 19:10:54, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-05, 19:22:17, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-05, 19:22:17, VSCANTM Log:

2008-09-05, 19:22:17, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/5/2008 19:10:54

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.513

9078 files have been read.

9078 files have been checked.

9077 files have been scanned.

32712 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/5/2008 19:22:17 11 minutes 14 seconds (674.02 seconds) has elapsed.(74.247 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-05, 19:22:17, Running SSAPI scanner ""...

2008-09-05, 20:23:37, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.83

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/05/2008 19:22:28

SSAPI requires the system to reboot.

Detected Items:

Detected: 6 items.

Cleaned Success: 3 items.

Clean Failed: 3 items.

Spyware Scan Ended: 09/05/2008 20:23:37

Scan Complete. Time=3679.089111.

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-08, 15:17:46, Auto-clean mode specified.

2008-09-08, 15:17:46, Failed to initialize Rootkit Driver.

2008-09-08, 15:17:46, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-08, 15:24:35, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-08, 15:24:35, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Mon Sep 08 2008 15:17:46

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 976) [success]

Complete time : Mon Sep 08 2008 15:19:17

Execute pattern count(3021), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-09-08, 15:24:35, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-08, 17:52:55, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-08, 17:52:55, VSCANTM Log:

2008-09-08, 17:52:55, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/8/2008 15:24:36

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 527 (326421/326421 Patterns) (2008/09/05) (552700)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND C:\*.* /P=C:\sysclean\lpt$vpn.527

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\17[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\19[2].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\1b[1].gif [TSPY_ONLINEG.LYD]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\22[1].gif [TSPY_ONLINEG.LYD]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\26[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\31[1].gif [TSPY_ONLINEG.LYD]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\6[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\b[1].gif [TROJ_AGENT.AKIK]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\d[1].gif [TROJ_ALMANAHE.AC]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\11[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\15[2].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\16[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\2[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\32[1].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\3[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\7[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\abb[1].gif [TROJ_MURLO.BA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\13[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\21[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\25[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\34[2].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\4[2].gif [TSPY_ONLINEG.CHS]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\5[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\9[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\12[1].gif [TROJ_GAMETHIE.FA]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\18[1].gif [TSPY_ONLINEG.LYD]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\1a[1].gif [TSPY_ONLINEG.PRM]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\21[1].gif [TSPY_GAMETHIE.SE]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\23[1].gif [TSPY_ONLINEG.MDX]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\24[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\33[1].gif [Possible_OLGM-15]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\8[1].gif [TSPY_ONLINEG.LYD]

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\update[1].gif [TROJ_DLOADER.YON]

C:\Program Files\Messenger\msgmr.dll [TROJ_SMALL.MAG]

C:\WINDOWS\AppPatch\AclLayer.dll [TROJ_SMALL.DBD]

C:\WINDOWS\AppPatch\AcSpecf.dll [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\AcXtrnel.sdb [TROJ_ALMANAHE.AD]

C:\WINDOWS\AppPatch\DesktopWin.dll [TROJ_SMALL.DBD]

C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll [TROJ_AGENT.ASAY]

C:\WINDOWS\Fonts\Framdee.ttf [TROJ_DLOADE.XH]

C:\WINDOWS\linkinfo.dll [PE_CORELINK.C-O]

C:\WINDOWS\sysocmgr.dll [TROJ_DROPPER.OPZ]

C:\WINDOWS\system32\adsntzt.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\aotoppt.dll [Possible_OLGM-15]

C:\WINDOWS\system32\bootvidgj.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\catower.dll [Possible_OLGM-15]

C:\WINDOWS\system32\certmgrkd.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\cliconfgzx.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KG4J73HE\update[1].gif [TROJ_DLOADER.YON]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\84785_redworld[1].exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YC059TEA\abb[1].gif [TROJ_MURLO.BA]

C:\WINDOWS\system32\dllcache\qxchost.exe [WORM_SDBOT.GAV]

C:\WINDOWS\system32\drivers\cdralw.sys [TROJ_AGENT.THK]

C:\WINDOWS\system32\eskisl.dll [Possible_OLGM-15]

C:\WINDOWS\system32\inetresdxc.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\johandy.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lensch.dll [Possible_OLGM-15]

C:\WINDOWS\system32\lweurqhx.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\mcromv.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mduaey.dll [Possible_OLGM-15]

C:\WINDOWS\system32\mshta.dll [TROJ_PROXY.ADH]

C:\WINDOWS\system32\pewire.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfel.dll [Possible_OLGM-15]

C:\WINDOWS\system32\qxfelk.exe [TSPY_ONLINEG.CHS]

C:\WINDOWS\system32\slbiopfs2.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\thermaltinc.dll [Possible_OLGM-15]

C:\WINDOWS\system32\tscfgwmijxsj.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\xolehlpjh.dll [TSPY_GAMETHIE.SE]

C:\WINDOWS\system32\zfashl.dll [Possible_OLGM-15]

C:\WINDOWS\Temp\wmsetup.dll [TROJ_MURLO.BA]

93144 files have been read.

93144 files have been checked.

93120 files have been scanned.

256683 files have been scanned. (including files in archived)

73 files containing viruses.

Found 73 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/8/2008 17:52:54 2 hours 28 minutes 9 seconds (8889.22 seconds) has elapsed.(95.435 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-08, 17:52:55, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-08, 18:04:25, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-08, 18:04:25, VSCANTM Log:

2008-09-08, 18:04:25, Files Detected:

Copyright © 1990 - 2006 Trend Micro Inc.

Report Date : 9/8/2008 17:52:55

VSAPI Engine Version : 8.900-1001

VSCANTM Version : 3.00-1014 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 527 (326421/326421 Patterns) (2008/09/05) (552700)

Command Line: C:\sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /C /ACTIVEACTION=5 /VSBKENC+ /HOSPITAL=.\BACKUP /LR /LAPPEND D:\*.* /P=C:\sysclean\lpt$vpn.527

9078 files have been read.

9078 files have been checked.

9078 files have been scanned.

32713 files have been scanned. (including files in archived)

0 files containing viruses.

Found 0 viruses totally.

Maybe 0 viruses totally.

Stop At: 9/8/2008 18:04:25 11 minutes 20 seconds (679.63 seconds) has elapsed.(74.865 msec/file)

---------*---------*---------*---------*---------*---------*---------*---------*

2008-09-08, 18:04:25, Running SSAPI scanner ""...

2008-09-08, 19:08:43, SSAPI Log:

SSAPI Scanner Version: 1.0.1003

SSAPI Engine Version: 5.2.1032

SSAPI Pattern Version: 6.85

SSAPI Anti-Rootkit Version: <Failed>

Spyware Scan Started: 09/08/2008 18:04:35

SSAPI requires the system to reboot.

Detected Items:

[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\2o7.net,Cookie:administrator@2o7.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@2o7[2].txt

[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:administrator@ad.yieldmanager.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ad.yieldmanager[1].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:administrator@adopt.specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adopt.specificclick[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\adrevolver.com,Cookie:administrator@adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:administrator@ads.pointroll.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@ads.pointroll[1].txt

[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:administrator@advertising.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@advertising[2].txt

[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:administrator@apmebf.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@apmebf[1].txt

[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:administrator@atdmt.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@atdmt[2].txt

[CLEAN SUCCESS][Cookie_Atwola] Internet Explorer Cache\atwola.com,Cookie:administrator@atwola.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@atwola[2].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\casalemedia.com,Cookie:administrator@casalemedia.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@casalemedia[2].txt

[CLEAN SUCCESS][Cookie_Com] Internet Explorer Cache\com.com,Cookie:administrator@com.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@com[1].txt

[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:administrator@doubleclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@doubleclick[1].txt

[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:administrator@insightexpressai.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@insightexpressai[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@media.adrevolver[1].txt

[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:administrator@questionmarket.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@questionmarket[1].txt

[CLEAN SUCCESS][Cookie_Revsci] Internet Explorer Cache\revsci.net,Cookie:administrator@revsci.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@revsci[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:administrator@specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@specificclick[2].txt

[CLEAN SUCCESS][Cookie_Tacoda] Internet Explorer Cache\tacoda.net,Cookie:administrator@tacoda.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@tacoda[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:administrator@trafficmp.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@trafficmp[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:administrator@tribalfusion.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@tribalfusion[1].txt

[CLEAN SUCCESS][Cookie_Unicast] Internet Explorer Cache\unicast.com,Cookie:administrator@unicast.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\administrator@unicast[1].txt

[CLEAN SUCCESS][Cookie_2o7] Internet Explorer Cache\2o7.net,Cookie:administrator@2o7.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@2o7[2].txt

[CLEAN SUCCESS][Cookie_YieldManager] Internet Explorer Cache\ad.yieldmanager.com,Cookie:administrator@ad.yieldmanager.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@ad.yieldmanager[1].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\adopt.specificclick.net,Cookie:administrator@adopt.specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@adopt.specificclick[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/adrevolver/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@adrevolver[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\adrevolver.com,Cookie:administrator@adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@adrevolver[2].txt

[CLEAN SUCCESS][Cookie_Pointroll] Internet Explorer Cache\ads.pointroll.com,Cookie:administrator@ads.pointroll.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@ads.pointroll[1].txt

[CLEAN SUCCESS][Cookie_Advertising] Internet Explorer Cache\advertising.com,Cookie:administrator@advertising.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@advertising[1].txt

[CLEAN SUCCESS][Cookie_Apmebf] Internet Explorer Cache\apmebf.com,Cookie:administrator@apmebf.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@apmebf[2].txt

[CLEAN SUCCESS][Cookie_Ask] Internet Explorer Cache\ask.com,Cookie:administrator@ask.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@ask[1].txt

[CLEAN SUCCESS][Cookie_Atdmt] Internet Explorer Cache\atdmt.com,Cookie:administrator@atdmt.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@atdmt[2].txt

[CLEAN SUCCESS][Cookie_Atwola] Internet Explorer Cache\atwola.com,Cookie:administrator@atwola.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@atwola[1].txt

[CLEAN SUCCESS][Cookie_BurstNet] Internet Explorer Cache\burstnet.com,Cookie:administrator@burstnet.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@burstnet[2].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\casalemedia.com,Cookie:administrator@casalemedia.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@casalemedia[2].txt

[CLEAN SUCCESS][Cookie_DoubleClick] Internet Explorer Cache\doubleclick.net,Cookie:administrator@doubleclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@doubleclick[1].txt

[CLEAN SUCCESS][Cookie_ExitExchange] Internet Explorer Cache\exitexchange.com,Cookie:administrator@exitexchange.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@exitexchange[1].txt

[CLEAN SUCCESS][Cookie_FastClick] Internet Explorer Cache\fastclick.net,Cookie:administrator@fastclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@fastclick[2].txt

[CLEAN SUCCESS][Cookie_InsightExpressAI] Internet Explorer Cache\insightexpressai.com,Cookie:administrator@insightexpressai.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@insightexpressai[1].txt

[CLEAN SUCCESS][Cookie_AdRevolver] Internet Explorer Cache\media.adrevolver.com,Cookie:administrator@media.adrevolver.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@media.adrevolver[2].txt

[CLEAN SUCCESS][Cookie_Mediaplex] Internet Explorer Cache\mediaplex.com,Cookie:administrator@mediaplex.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@mediaplex[1].txt

[CLEAN SUCCESS][Cookie_Questionmarket] Internet Explorer Cache\questionmarket.com,Cookie:administrator@questionmarket.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@questionmarket[2].txt

[CLEAN SUCCESS][Cookie_Adjuggler] Internet Explorer Cache\rotator.adjuggler.com,Cookie:administrator@rotator.adjuggler.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@rotator.adjuggler[2].txt

[CLEAN SUCCESS][Cookie_ServingSys] Internet Explorer Cache\serving-sys.com,Cookie:administrator@serving-sys.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@serving-sys[2].txt

[CLEAN SUCCESS][Cookie_SpecificClick] Internet Explorer Cache\specificclick.net,Cookie:administrator@specificclick.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@specificclick[1].txt

[CLEAN SUCCESS][Cookie_StatCounter] Internet Explorer Cache\statcounter.com,Cookie:administrator@statcounter.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@statcounter[1].txt

[CLEAN SUCCESS][Cookie_Tacoda] Internet Explorer Cache\tacoda.net,Cookie:administrator@tacoda.net/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@tacoda[2].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\trafficmp.com,Cookie:administrator@trafficmp.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@trafficmp[1].txt

[CLEAN SUCCESS][Cookie_Profiling] Internet Explorer Cache\tribalfusion.com,Cookie:administrator@tribalfusion.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@tribalfusion[1].txt

[CLEAN SUCCESS][Cookie_BurstBeacon] Internet Explorer Cache\www.burstbeacon.com,Cookie:administrator@www.burstbeacon.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@www.burstbeacon[1].txt

[CLEAN SUCCESS][Cookie_BurstNet] Internet Explorer Cache\www.burstnet.com,Cookie:administrator@www.burstnet.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@www.burstnet[1].txt

[CLEAN SUCCESS][Cookie_Zedo] Internet Explorer Cache\zedo.com,Cookie:administrator@zedo.com/,C:\Documents and Settings\Administrator.YOUR-N3TY7ATHD5.000\Cookies\anyuser@zedo[1].txt

Detected: 71 items.

Cleaned Success: 61 items.

Clean Failed: 10 items.

Spyware Scan Ended: 09/08/2008 19:08:40

Scan Complete. Time=3854.784180.

MBAM:

Malwarebytes' Anti-Malware 1.27

Database version: 1130

Windows 5.1.2600 Service Pack 1

9/8/2008 9:25:42 PM

mbam-log-2008-09-08 (21-25-42).txt

Scan type: Quick Scan

Objects scanned: 50039

Time elapsed: 9 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 3

Registry Keys Infected: 12

Registry Values Infected: 13

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 12

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\imgutilhx2.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\twainyy.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\dpvvoxmh.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\thunderadvise.thunderhlpobj.1 (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da1de019-a6a8-ed40-4b87-248b2a93de99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2876d76c-caaa-4313-af97-8d1d9a2a1087} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{eb9660d8-e1cd-4ff0-b4a9-00cd907f928a} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da56b183-a731-402b-9235-2cb8803e212d} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{2cb77746-8ecc-40ca-8217-10ca8be5efc8} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97421d0d-e07f-40df-8f07-99597b9585ad} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{2876d76c-caaa-4313-af97-8d1d9a2a1087} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dpvvoxmh.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{da56b183-a731-402b-9235-2cb8803e212d} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\imgutilhx2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{434fa69c-5f0a-42e1-82b8-10af2c8e53c6} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\twainyy.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sysocmgr (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\thunderadvise (Trojan.BHO) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\lweurqhx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\slbiopfs2.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\tscfgwmijxsj.dll (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3PMmUpdate (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{71a78cd4-e470-4a18-8457-e0e0283dd507} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Broken.SecurityProviders) -> Bad: (msapsspc.dll schannel.dll digest.dll msnsspc.dll) Good: (msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("%1" %*) Good: ("%1" /S) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dpvvoxmh.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\imgutilhx2.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\twainyy.dll (Trojan.Agent) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\35KJM8XN\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\LCNW1P3M\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\NK1ICRFT\b[1].gif (Spyware.OnLineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\AppPatch\DesktopWin.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Update.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\sysocmgr.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\lweurqhx.dll (Spyware.OnlineGames) -> Delete on reboot.

C:\WINDOWS\system32\drivers\cdralw.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:36:27 PM, on 9/8/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.EXE

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: qxfel.dll eskisl.dll mcromv.dll micsus.dll mduaey.dll cupops.dll thermaltinc.dll cmbdaf.dll lensch.dll johandy.dll aotoppt.dll pewire.dll catower.dll wllame.dll

O21 - SSODL: dragahai.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\vfjehpyv.dll

O21 - SSODL: lynbmtut.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\vfjehpyv.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing)

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll (file missing)

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - C:\WINDOWS\System32\bootvidgj.dll

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - C:\WINDOWS\System32\scrruncqsj.dll

O21 - SSODL: pangpcfw.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\vfjehpyv.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: vfjehpyv.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\vfjehpyv.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7234 bytes

THOSE 3 NEW .EXE'S IN C: ARE STILL THERE, SHOULD i ATTEMPT TO DELETE THEM?

Share this post


Link to post
Share on other sites
Good. :unsure:

You can delete c:\_OTMoveIt\ now and follow the rest of my directions. ;)

Hi Tigger,

I closed this thread prematurely, so I've reopened it. Lets see if we can get cmoney cleaned up.

Share this post


Link to post
Share on other sites

Okay....

I want you to download the following two programs

ATF-Cleaner http://www.atribune.org/index.php?option=c...5&Itemid=25

EruNT http://www.larshederer.homepage.t-online.de/erunt/

Under normal conditions, it's not wise to disable system restore, but in this case, we are going to do so.

First things first,

Download and run erunt. Allow it to backup your registry files.

Next, right click my computer, select properties, System Restore tab. Check to turn system restore off.

Hit apply and ok. This will probably take a few minutes, depending on the amount of restore points you do have.

Fire up atf-cleaner, Click the select all box, and then hit the empty selected button. This is going to take a little time, be patient.

I want you to download a new version of SysClean with updated pattern/signature files.

Reboot your computer into safe mode, and scan it with sysclean; Let sysclean clean the computer.

Allow your computer to reboot normally after running sysclean. First thing, run Malwarebytes, hit the update tab and update. v1.28 is out now. Have it scan your computer, and allow it to remove anything it finds.

If it requests a reboot, go ahead and do so, then after rebooting normally scan again with mbam and hijackthis and post fresh logs.

We are not going to turn system restore back on until we're clean.

Share this post


Link to post
Share on other sites

I appreciate this Raid, really I do. Is it alright if we start this friday-my school work load is hectic with homeworkand tests to study for I wont have any time until then?

Share this post


Link to post
Share on other sites

I dont know Raid, I think we got it

MBAM:

Malwarebytes' Anti-Malware 1.28

Database version: 1142

Windows 5.1.2600 Service Pack 1

9/12/2008 7:34:29 PM

mbam-log-2008-09-12 (19-34-29).txt

Scan type: Quick Scan

Objects scanned: 47374

Time elapsed: 6 minute(s), 28 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:34:57 PM, on 9/12/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\wanmpsvc.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing)

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - (no file)

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - (no file)

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - (no file)

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll (file missing)

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - (no file)

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - (no file)

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - (no file)

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 5946 bytes

Though there is still this app in C: "q5u1t3l7n2y3(created itself 9/9/2008, do you need me to upload it? Should I delete it?(havent tried sending it to recycling bin, might not go)

Edit: I just opened task manager and the app in C: mentioned above is running

Share this post


Link to post
Share on other sites

Please upload it to the usual place. :unsure:

And see if you can shut it down in task manager. Next, we need to clean up some entries with hijackthis.

O1 - Hosts: 127.0.,0

O1 - Hosts: 127.0.01222.volumeplay1.com

O1 - Hosts: 127.0.0.3adlaji.cn

O1 - Hosts: 127.0.0.lwww.xxie.net

O1 - Hosts: 127.0.01www.gfrgfrsa.cn

O1 - Hosts: 202.165.102.205 972.aksjd11.com

O1 - Hosts: 202.165.102.205 w3og.cn

O1 - Hosts: 203.208.35.100 qazc.fourtw.cn

O1 - Hosts: 203.208.35.100 www.aujoy.cn

O1 - Hosts: 203.208.35.101 www.hao601.cn

O1 - Hosts: 203.208.35.101 www.psp476.cn

O1 - Hosts: 72.14.235.99 222.1212l112.net

O1 - Hosts: 72.14.235.99 444.1212l112.netn

O1 - Hosts: 72.14.235.99 555.1212l112.net

O1 - Hosts: 72.14.235.99 111.1212l112.net

O1 - Hosts: 65.55.21.250 111.3243l24.com

O1 - Hosts: 65.55.21.250 222.3243l24.com

O1 - Hosts: 65.55.21.250 333.3243l24.com

O1 - Hosts: 125.64.8.112 kao2.gmwo03.com

O1 - Hosts: 125.64.8.112 kao.gmwo06.com

O1 - Hosts: 125.64.8.112 444.gmwo07.com

O1 - Hosts: 116.252.185.15 ru.update365.us

O1 - Hosts: 116.252.185.15 ad.update365.us

O1 - Hosts: 207.46.232.182 popmails.net

O1 - Hosts: 203.208.37.99 3.goodhh.com

O1 - Hosts: 220.181.37.55 down.rwixr.com

O1 - Hosts: 160.79.42.52 www.xdj2008.com

O1 - Hosts: 63.175.76.152 www.revtr.cn

O1 - Hosts: 219.133.40.91 qq.ljsll.com

O1 - Hosts: 203.208.35.102 www.aassccwe.cn

O1 - Hosts: 209.132.177.50 973.aksjd11.com

O1 - Hosts: 209.132.177.50 974.aksjd11.com

O1 - Hosts: 209.132.177.50 971.aksjd11.com

O1 - Hosts: 209.132.177.50 975.aksjd11.com

O1 - Hosts: 72.14.235.104 user1.12-39.net

O1 - Hosts: 72.14.235.147 www.infomt.net

O1 - Hosts: 192.150.18.101 ata1.sysions.net

O1 - Hosts: 192.150.18.101 ata2.sysions.net

O1 - Hosts: 192.150.18.101 ata3.sysions.net

O1 - Hosts: 192.150.18.101 ata4.sysions.net

O1 - Hosts: 193.120.42.226 8nnnnn99.cn

O1 - Hosts: 24.39.54.34 www.haoaoao.cn

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O21 - SSODL: inetresdxc.dll - {BB4E3499-0132-4d3f-849A-2BE1B26D84E1} - C:\WINDOWS\System32\inetresdxc.dll (file missing)

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - (no file)

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - (no file)

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - (no file)

O21 - SSODL: certmgrkd.dll - {9E8287B0-0F3A-48ae-99C5-A6E0AAC36BC5} - C:\WINDOWS\System32\certmgrkd.dll (file missing)

O21 - SSODL: bootvidgj.dll - {D3112B69-A745-4805-874E-ABD480EA1299} - (no file)

O21 - SSODL: scrruncqsj.dll - {00240024-0024-0024-0024-00240024BB15} - (no file)

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - (no file)

For some reason, We have a survivor.. I will need you to upload it to the uploads location as well:

C:\WINDOWS\System32\rasdlgcq.dll

Share this post


Link to post
Share on other sites

when i went to clean in hijackthis, a message popped up like 8-10 times that said: registry editing has been disabled by your administrator, but when I went and scanned it again(before I restarted) everything was gone except for the rasdlgcq.dll

Edit: after rebooting, everything you said to clean in hijackthis is still gone except for rasdlgcq.dll

Also, task manager isn't working again (since we've started cleaning the pc, the only time task manager works is on the first reboot after a MBAM scan. should I run another now to enable it and shut down that app or just wait until the app's updated into MBAM?)

Share this post


Link to post
Share on other sites
when i went to clean in hijackthis, a message popped up like 8-10 times that said: registry editing has been disabled by your administrator, but when I went and scanned it again(before I restarted) everything was gone except for the rasdlgcq.dll

Edit: after rebooting, everything you said to clean in hijackthis is still gone except for rasdlgcq.dll

Also, task manager isn't working again (since we've started cleaning the pc, the only time task manager works is on the first reboot after a MBAM scan. should I run another now to enable it and shut down that app or just wait until the app's updated into MBAM?)

Hi Cmoney, I think MBAM knows the offender now. I need you to run hijackthis for me and post a fresh logfile.

It's a registry key turning task manager and regedit off. Once we remove the offending software, that won't happen anymore.

Go ahead update MBAM and scan again please. Post the results. Lets see about cleaning this up.

Share this post


Link to post
Share on other sites

Hey Raid,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:45:52 PM, on 9/13/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\Explorer.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\system32\drivers\svchost.exe

c:\q5u1t3l7n2y3.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\svchost.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\system32\drivers\svchost.exe

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O21 - SSODL: rasdlgcq.dll - {F0C9FBC2-6FA2-479d-B65D-F9D65C613ECC} - C:\WINDOWS\System32\rasdlgcq.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 4038 bytes

Share this post


Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.28

Database version: 1145

Windows 5.1.2600 Service Pack 1

9/13/2008 12:55:44 PM

mbam-log-2008-09-13 (12-55-44).txt

Scan type: Quick Scan

Objects scanned: 47923

Time elapsed: 7 minute(s), 8 second(s)

Memory Processes Infected: 1

Memory Modules Infected: 3

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

C:\WINDOWS\system32\drivers\svchost.exe (Heuristics.Reserved.Word.Exploit) -> Unloaded process successfully.

Memory Modules Infected:

C:\WINDOWS\system32\rasdlgcq.dll (Trojan.OnlineGames) -> Delete on reboot.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{f0c9fbc2-6fa2-479d-b65d-f9d65c613ecc} (Trojan.OnlineGames) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{da191de0-aa86-4ed0-4b87-292a3d48be99} (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f0c9fbc2-6fa2-479d-b65d-f9d65c613ecc} (Trojan.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rasdlgcq.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\desktopwin (Spyware.OnlineGames) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Heuristics.Reserved.Word.Exploit) -> Data: system32\drivers\svchost.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe %WINDIR%\system32\drivers\svchost.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\rasdlgcq.dll (Trojan.OnlineGames) -> Delete on reboot.

C:\WINDOWS\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\Documents and Settings\Owner\Local Settings\Temp\wmsetup.dll (Trojan.Downloader) -> Delete on reboot.

C:\WINDOWS\AppPatch\DesktopWin.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\cmbdaf.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\wllame.dll (Trojan.OnlineGames) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\abb[1].gif (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OO8HWOUR\update[1].gif (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\svchost.exe (Trojan.Agent) -> Delete on reboot.

Share this post


Link to post
Share on other sites

Thanks Raid,

After rebooting the machine after the MBAM scan, I looked in system32 and didnt find the rasdlgcq.dll file anymore, however there's still and always has been a NLS file with that same name. Also the app in C: is still there though task manager doesnt have it running as a process.

Share this post


Link to post
Share on other sites

I just went and opened hijackthis again and ran a scan(bored as hell, wasn't going to do anything just running a scan) and during the scan a message popped up that said: "you have an particularly large amount of hijacked domains. It's probably better to delete the file itself then to fix each item (and create a backup).

If you see the same IP address in all the reported O1 items, consider deleting your Hosts file, which is located at C:\WINDOWS\System32\drivers\etc\hosts."

Edit: Here's the log just in case:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:15:39 PM, on 9/13/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\System32\rundll32.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\rundll32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\System32\mcromvk.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mcromv.dll micsus.dll mduaey.dll cupops.dll lensch.dll johandy.dll aotoppt.dll pewire.dll catower.dll wllame.dll

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: irhkliqj.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\irhkliqj.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: twainyy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\twainyy.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 8640 bytes

Share this post


Link to post
Share on other sites

Alright, lets remove some stuff with hijackthis and see what comes of it.

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O20 - AppInit_DLLs: mcromv.dll micsus.dll mduaey.dll cupops.dll lensch.dll johandy.dll aotoppt.dll pewire.dll catower.dll wllame.dll

O21 - SSODL: sysocmgr - {DA1DE019-A6A8-ED40-4B87-248B2A93DE99} - C:\WINDOWS\sysocmgr.dll

O21 - SSODL: dpvvoxmh.dll - {2876D76C-CAAA-4313-AF97-8D1D9A2A1087} - C:\WINDOWS\System32\dpvvoxmh.dll

O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O21 - SSODL: nwapi32dj.dll - {A2C3BA54-DF75-4881-8EB3-E54B26BBBBC9} - C:\WINDOWS\System32\nwapi32dj.dll

O21 - SSODL: dispexcb.dll - {76D44356-B494-443a-BEDC-AA68DE4255E6} - C:\WINDOWS\System32\dispexcb.dll

O21 - SSODL: irhkliqj.dll - {21BE5FDF-D4CB-4850-AD99-21E68B50BF3F} - C:\WINDOWS\System32\irhkliqj.dll

O21 - SSODL: xolehlpjh.dll - {F0930A2F-D971-4828-8209-B7DFD266ED44} - C:\WINDOWS\System32\xolehlpjh.dll

O21 - SSODL: mstimewd.dll - {65056902-6E7B-4bd7-95BA-688DB5FA5BEB} - C:\WINDOWS\System32\mstimewd.dll

O21 - SSODL: adsntzt.dll - {E0F3526A-4165-4589-80CD-50B6FBAC3BDA} - C:\WINDOWS\System32\adsntzt.dll

O21 - SSODL: avicapwm.dll - {6B9FEAD7-4319-4312-AB05-D8C9CD255BFE} - C:\WINDOWS\System32\avicapwm.dll

O21 - SSODL: twainyy.dll - {434FA69C-5F0A-42e1-82B8-10AF2C8E53C6} - C:\WINDOWS\System32\twainyy.dll

O4 - HKLM\..\Run: [3PMmUpdate] rundll32 "C:\WINDOWS\Update.dll",Main

After removing with hijackthis, restart and post a fresh hijackthis log.

Share this post


Link to post
Share on other sites

On a good note, task manager is still working and that app in C: isnt running

HIJACKTHIS:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:24:06 PM, on 9/13/2008

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\VERITAS Software\Update Manager\sgtray.exe

C:\HP\KBD\KBD.EXE

C:\windows\system\hpsysdrv.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/

O1 - Hosts: 127.1 localhost

O1 - Hosts: 127.1 vt0r48p760.cn

O1 - Hosts: 127.1 www.1txx.com

O1 - Hosts: 127.1 www.myovec.cn

O1 - Hosts: 127.1 po.uc-us.cn

O1 - Hosts: 127.1 219.139.83.20

O1 - Hosts: 127.1 www.msj007.cn

O1 - Hosts: 127.1 www.wyf009.cn

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 59.34.148.68

O1 - Hosts: 127.1 208.43.165.86

O1 - Hosts: 127.1 208.43.166.171

O1 - Hosts: 127.1 219.153.71.185

O1 - Hosts: 127.1 61.164.140.39

O1 - Hosts: 127.1 www.dsabh.cnwww.dsabh.cn

O1 - Hosts: 127.1 cwk1237.3322.org

O1 - Hosts: 127.1 www.woaigan.com

O1 - Hosts: 127.1 munchkin.marketo.net

O1 - Hosts: 127.1 post.marketo.net

O1 - Hosts: 127.1 www.mv2z.cn

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.wq9q.cn

O1 - Hosts: 127.1 facaizhifuok.cn

O1 - Hosts: 127.1 www.wo9188.cn

O1 - Hosts: 127.1 a.woaigan.com

O1 - Hosts: 127.1 b.woaigan.com

O1 - Hosts: 127.1 xxx.usxx.info

O1 - Hosts: 127.1 alenxya.1122mb.com

O1 - Hosts: 127.1 www.972se.com

O1 - Hosts: 127.1 972se.com

O1 - Hosts: 127.1 pic.03wyt.com

O1 - Hosts: 127.1 d.03wyt.com

O1 - Hosts: 127.1 xs.03wyt.com

O1 - Hosts: 127.1 www.8jse.net

O1 - Hosts: 127.1 8jse.net

O1 - Hosts: 127.1 www.bmwtvb.cn

O1 - Hosts: 127.1 www.kcuf-09.cn

O1 - Hosts: 127.1 www.dvgdfg4650.com

O1 - Hosts: 127.1 www.kcuf-08.cn

O1 - Hosts: 127.1 www.kcuf-11.cn

O1 - Hosts: 127.1 www.kcuf-12.cn

O1 - Hosts: 127.1 1aa1aa.com

O1 - Hosts: 127.1 xx.avno3.com

O1 - Hosts: 127.1 xxx.avno5.com

O1 - Hosts: 127.1 www.avno7.com

O1 - Hosts: 127.1 avno7.com

O1 - Hosts: 127.1 ok.avno4.com

O1 - Hosts: 127.1 ok.avno5.com

O1 - Hosts: 127.1 ok.avno6.com

O1 - Hosts: 127.1 ok.avno7.com

O1 - Hosts: 127.1 ok.avno9.com

O1 - Hosts: 127.1 avno1.com

O1 - Hosts: 127.1 avno3.com

O1 - Hosts: 127.1 avno4.com

O1 - Hosts: 127.1 aikanav.com

O1 - Hosts: 127.1 link.selink.org

O1 - Hosts: 127.1 www.avno6.com

O1 - Hosts: 127.1 avno6.com

O1 - Hosts: 127.1 4.chibbs.info

O1 - Hosts: 127.1 bbs.chibbs.info

O1 - Hosts: 127.1 aa.ss99.biz

O1 - Hosts: 127.1 se.ss99.biz

O1 - Hosts: 127.1 aa.sxlk.net

O1 - Hosts: 127.1 se.sxlk99.com

O1 - Hosts: 127.1 www.88xj.net

O1 - Hosts: 127.1 88xj.net

O1 - Hosts: 127.1 www.99xj.net

O1 - Hosts: 127.1 99xj.net

O1 - Hosts: 127.1 www.91semi.com

O1 - Hosts: 127.1 91semi.com

O1 - Hosts: 127.1 haobaidu.1122mb.com

O1 - Hosts: 127.1 xiao777.za.pl

O1 - Hosts: 127.1 ccavo6.avno6.com

O1 - Hosts: 127.1 a.sxlk99.com

O1 - Hosts: 127.1 www.91vva.cn

O1 - Hosts: 127.1 www.qq08w12.cn

O1 - Hosts: 127.1 www.21xx.info

O1 - Hosts: 127.1 php-1.cn

O1 - Hosts: 127.1 www.v232.com

O1 - Hosts: 127.1 php-2.cn

O1 - Hosts: 127.1 php-3.cn

O1 - Hosts: 127.1 php-4.cn

O1 - Hosts: 127.1 php-5.cn

O1 - Hosts: 127.1 php-6.cn

O1 - Hosts: 127.1 php-7.cn

O1 - Hosts: 127.1 php-8.cn

O1 - Hosts: 127.1 php-9.cn

O1 - Hosts: 127.1 php-10.cn

O1 - Hosts: 127.1 php-11.cn

O1 - Hosts: 127.1 k.5x2x.com

O1 - Hosts: 127.1 a.5x2x.com

O1 - Hosts: 127.1 202.108.23.205

O1 - Hosts: 127.1 60.190.218.21

O1 - Hosts: 127.1 121.14.154.195

O1 - Hosts: 127.1 218.30.82.201

O1 - Hosts: 127.1 59.34.198.48

O1 - Hosts: 127.1 121.14.154.216

O1 - Hosts: 127.1 219.152.120.237

O1 - Hosts: 127.1 121.14.154.184

O1 - Hosts: 127.1 125.67.67.201

O1 - Hosts: 127.1 222.168.102.12

O2 - BHO: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"

O4 - HKLM\..\Run: [VTPreset] VTPreset.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE

O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe

O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE

O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe

O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot

O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe

O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE

O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1219522215203

O20 - AppInit_DLLs: mcromv.dll micsus.dll mduaey.dll cupops.dll lensch.dll johandy.dll aotoppt.dll pewire.dll catower.dll wllame.dll qxfel.dll eskisl.dll

O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

O21 - SSODL: lweurqhx.dll - {71A78CD4-E470-4a18-8457-E0E0283DD507} - C:\WINDOWS\System32\lweurqhx.dll

O21 - SSODL: slbiopfs2.dll - {EB9660D8-E1CD-4ff0-B4A9-00CD907F928A} - C:\WINDOWS\System32\slbiopfs2.dll

O21 - SSODL: tscfgwmijxsj.dll - {2CB77746-8ECC-40ca-8217-10CA8BE5EFC8} - C:\WINDOWS\System32\tscfgwmijxsj.dll

O21 - SSODL: cliconfgzx.dll - {7A6DF30E-D0F2-446f-B4F0-BF4232D60E07} - C:\WINDOWS\System32\cliconfgzx.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--

End of file - 7761 bytes

Share this post


Link to post
Share on other sites

just a quick note;

When I went to delete what you told me(I had already closed hijackthis so I had to open up and run another scan), O21 - SSODL: DesktopWin - {DA191DE0-AA86-4ED0-4B87-292A3D48BE99} - C:\WINDOWS\AppPatch\DesktopWin.dll was missing but there was a new item: O21 - SSODL: ThunderAdvise - {97421D0D-E07F-40DF-8F07-99597B9585AD} - C:\WINDOWS\Downloaded Program Files\ThunderAdvise.dll

Edit: I did not delete that though

Share this post


Link to post
Share on other sites

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

O10 - Unknown file in Winsock LSP: c:\windows\system32\wrm32.dll

This isn't good. Again, I have to ask man, is somebody using this computer while we're trying to clean it up?

I need you to reboot in safe mode, and again check all those bad entries and remove them, restart your pc, open gmer, run a full scan and provide it as well as a fresh hijackthis log. We are certainly getting closer to removing whatever is on your PC.

Do you have your windows cd handy? We may need to replace some damaged system files.

Share this post


Link to post
Share on other sites

Hey, I noticed something in a post you made on the 8th.

2008-09-01, 14:26:47, Auto-clean mode specified.

2008-09-01, 14:26:48, Initialized Rootkit Driver version 1.6.0.1059.

I told you I wanted you to update sysclean and scan with it again in safe mode, allowing it to remove whatever it needed to.

Not only didn't you do an updated scan, or if you did, you provided a logfile that was created on the first of september...

Virus Pattern Version : 513 (322944/322944 Patterns) (2008/09/01) (551300)

Sysclean isn't updated either.

UPDATE SYSCLEAN

Cmoney, I'm trying to help you with this recurring problem your having, but this thread is getting pretty large, and your not doing as I've asked now on several occasions. If you are stuck on something I ask you to do, please stop and let me know. I've also noticed several times that internet explorer is running while your doing hijackthis scans, and I'm assuming other scans in normal mode. Please close browsers whenever possible during malware removal.

If your logs have odd date/time stamps again, and you can't give me a good reason for it, I will stop assisting you. Please do exactly as I ask.

Share this post


Link to post
Share on other sites

I'm sorry Raid,

I must be missing something. I haven't been updating sysclean everytime I run it, though the last time you told me to update it (on the 11th) I did and scanned, I didnt however provide a log because I thought you only wanted the Hijackthis and MBAM logs.

BUT HERE IT IS:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2006-2007, Trend Micro, Inc. |

| http://www.antivirus.com |

\--------------------------------------------------------------/

2008-09-12, 15:10:31, Auto-clean mode specified.

2008-09-12, 15:10:31, Failed to initialize Rootkit Driver.

2008-09-12, 15:10:31, Running scanner "C:\sysclean\TSC.BIN"...

2008-09-12, 15:12:08, Scanner "C:\sysclean\TSC.BIN" has finished running.

2008-09-12, 15:12:08, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)

Windows XP(Build 2600: Service Pack 1)

Start time : Fri Sep 12 2008 15:10:31

Load Damage Cleanup Template (DCT) "C:\sysclean\TMRDCT.ptn" (version ) [fail]

Load Damage Cleanup Template (DCT) "C:\sysclean\tsc.ptn" (version 978) [success]

WORM_KORGO[virus found]

-->delete process("EXPLORER.EXE","","") success

-->delete registry value("HKEY_LOCAL_MACHINE","Software\Microsoft\Windows\CurrentVersion\Run","Cryptographic Service") success

-->delete file("C:\WINDOWS\System32\mqyvccvz.exe","","") success

-->delete registry value("HKEY_LOCAL_MACHINE","Software\Microsoft\Wireless","ID") success

-->create process("C:\WINDOWS\EXPLORER.EXE","","") success

Complete time : Fri Sep 12 2008 15:12:05

Execute pattern count(3022), Virus found count(1), Virus clean count(1), Clean failed count(0)

2008-09-12, 15:12:08, Running scanner "C:\sysclean\VSCANTM.BIN"...

2008-09-12, 17:27:07, Scanner "C:\sysclean\VSCANTM.BIN" has finished running.

2008-09-12, 17:27:07, VSCANTM Log:

2008-09-12, 17:27:07, Files Detected:

Copyright

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.