Solved XP SP2 crazy pop-ups from SpySweeper

[Resolved] XP SP2 crazy pop-ups from SpySweeper

HELP!!!!

I'm IT and PC savvy, but no expert. After noticing that ZoneAlarm had not completed updating, it was too late. My PC ran without firewall for 4 days and only then did I notice it. Running a scan I had picked up a trojan.gen and cleaned it up. No problem, I thought. Then today all went crazy and I have 3 SpySweeper alerts a second telling me that it has blocked access to any Spyware related page on the net. Ooops.

Reading on the laptop I found this site and found that you have solved a similar problem in the past, which is why I am submitting my problem here, hoping that someone can help me get rid of this.

Thank you for your time and effort in advance.

I am including a Hijackthis and a SmitFraud log to describe the problem:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:12:01, on 04.Apr.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
L:\EsetNOD\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
L:\Internet\Spy\SpySweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
L:\EsetNOD\nod32kui.exe
C:\Program Files\avmwlanstick\FRITZWLANMini.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
L:\Internet\Spy\SpySweeper\SpySweeperUI.exe
L:\Internet\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
D:\ActiveSync\wcescomm.exe
D:\ACTIVE~1\rapimgr.exe
L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
L:\Internet\Spy\SpySweeper\SSU.EXE
L:\Internet\Mozilla\firefox.exe
D:\WinCommander\TOTALCMD.EXE
G:\Setup\Tools\Fixes\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 196.7.77.238:80
O1 - Hosts: 70.85.112.187 simplyrandom.com
O1 - Hosts: 70.85.112.187 www.simplyrandom.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O2 - BHO: (no name) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - (no file)
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O3 - Toolbar: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Maplom] e:\GameJackal\Maplom.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nod32kui] "L:\EsetNOD\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVMWlanClient] "C:\Program Files\avmwlanstick\FRITZWLANMini.exe "
O4 - HKLM\..\Run: [WebCam III SetFirst] webc3uns setfirst
O4 - HKLM\..\Run: [WebCam Autolaunch] webc3lch
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Lector de documentos Doc de Windows] CFLMON.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [muBlinder] L:\Internet\MU_Blinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Acrobat\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "L:\Internet\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [SpySweeper] L:\Internet\Spy\SpySweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [ProxyWay] L:\Internet\IP\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Vidalia] "L:\Internet\IP\TOR\Vidalia\vidalia.exe "
O4 - HKCU\..\Run: [Hide IP Platinum] L:\Internet\IP\HideIPPlatinum\hideippla.exe
O4 - HKCU\..\Run: [TVgenial] "L:\TVGenial\TVgenial.exe" -d
O4 - HKCU\..\Run: [SUPERAntiSpyware] L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] d:\tools\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Skype] "L:\Internet\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = L:\Internet\IP\TOR\Privoxy\privoxy.exe
O8 - Extra context menu item: &Pick-a-Proxy Toolbar - res://L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - L:\Internet\Spy\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189708859906
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189708832328
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - L:\Internet\Spy\SuperSpy\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Program Files\Common Files\AVM\de_serv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - L:\EsetNOD\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - Unknown owner - L:\Internet\Spy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - L:\Internet\Spy\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - L:\Internet\Spy\SpySweeper\SpySweeper.exe

--
End of file - 9229 bytes

SmitFraudFix v2.309

Scan done at 21:28:41.85, 04.Apr.08
Run from G:\Setup\Tools\Fixes\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
L:\EsetNOD\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
L:\Internet\Spy\SpySweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
L:\EsetNOD\nod32kui.exe
C:\Program Files\avmwlanstick\FRITZWLANMini.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
L:\Internet\Spy\SpySweeper\SpySweeperUI.exe
L:\Internet\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
D:\ActiveSync\wcescomm.exe
D:\ACTIVE~1\rapimgr.exe
L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
L:\Internet\Spy\SpySweeper\SSU.EXE
L:\Internet\Mozilla\firefox.exe
D:\WinCommander\TOTALCMD.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andy


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Andy\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Andy\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit "= "C:\\WINDOWS\\system32\\userinit.exe, "
"System "=" "


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller
DNS Server Search Order: 172.28.111.11

HKLM\SYSTEM\CCS\Services\Tcpip\..\{BDEB2117-42E8-4B63-B2E5-F682E093EF4C}: DhcpNameServer=172.28.111.11
HKLM\SYSTEM\CS2\Services\Tcpip\..\{BDEB2117-42E8-4B63-B2E5-F682E093EF4C}: DhcpNameServer=172.28.111.11
HKLM\SYSTEM\CS3\Services\Tcpip\..\{BDEB2117-42E8-4B63-B2E5-F682E093EF4C}: DhcpNameServer=172.28.111.11
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.28.111.11
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=172.28.111.11
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=172.28.111.11


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Any ideas where I should start looking? I noticed the hosts file, which I don't use for this home PC with only a single user. It is FULL of sites supposedly inserted by SpyBot.

Thanks for any input.

//AndyB

 

Welcome to WindowsBBS AndyB

Please get an updated version of HijackThis from here and run ascan, saving the log. I won't need to see that log though. We'll use another tool to get a closer look at things.

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.


Is this IP familiar to you? 172.28.111.11
Or this one? 196.7.77.238

Would you mind sending me a copy of that HOSTS file? Put RE: smitRem in the subject line.

 

Hi,

Thank you for your help!! Much appreciated.

Yes, the first IP is my Laptop. The second is a proxy I used some time ago.

The Hosts file: weird story. I deleted all entries (except the simplyrandom ones which I need to override the block from either NOD or ZoneAlarm, whichever is blocking here ) and since then all is quiet. But I must have /have had something here that generated this. The only odd file was the trojan.gen, which was fixed - I hope. I can't really get a handle on this trojan.gen as I found so many conflicting posts.

OK, here's the DSS log:

Deckard's System Scanner v20071014.68
Run by Andy on 2008-04-09 14:44:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
23: 2008-04-09 12:44:59 UTC - RP253 - Deckard's System Scanner Restore Point
22: 2008-04-04 23:00:28 UTC - RP252 - Spybot-S&D Spyware removal
21: 2008-02-28 14:24:45 UTC - RP251 - Unsigned driver install
20: 2008-02-21 11:09:07 UTC - RP250 - Unsigned driver install
19: 2008-02-15 11:17:55 UTC - RP249 - Installed Adobe Reader 6.0.1


-- First Restore Point --
1: 2007-10-18 11:35:32 UTC - RP231 - Removed J2SE Runtime Environment 5.0 Update 6


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-09 14:47:29
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
L:\ESETNOD\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
L:\Internet\Spy\SpySweeper\SpySweeper.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
L:\ESETNOD\nod32kui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
L:\Internet\ZoneAlarm\zlclient.exe
L:\Internet\Spy\SpySweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
D:\ActiveSync\wcescomm.exe
D:\ActiveSync\rapimgr.exe
L:\Internet\Spy\SuperSpy\SUPERANTISPYWARE.EXE
L:\Internet\Spy\Spybot\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
L:\Internet\Spy\SpySweeper\ssu.exe
L:\Internet\Mozilla\firefox.exe
G:\Setup\Tools\SystemScannerDeckard\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 196.7.77.238:80
O1 - Hosts: 70.85.112.187 simplyrandom.com
O1 - Hosts: 70.85.112.187 www.simplyrandom.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\Internet\Spy\Spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O2 - BHO: (no name) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - (no file)
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - L:\Internet\FormFillers\iNetFormFiller Freeware\FormFiller.dll
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - L:\Internet\FormFillers\iNetFormFiller Freeware\FormFiller.dll
O3 - Toolbar: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Maplom] e:\GameJackal\Maplom.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nod32kui] "L:\EsetNOD\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVMWlanClient] "C:\Program Files\avmwlanstick\FRITZWLANMini.exe "
O4 - HKLM\..\Run: [WebCam III SetFirst] webc3uns setfirst
O4 - HKLM\..\Run: [WebCam Autolaunch] webc3lch
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Lector de documentos Doc de Windows] CFLMON.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [muBlinder] L:\Internet\MU_Blinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Acrobat\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "L:\Internet\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "L:\Internet\Spy\SpySweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [ProxyWay] L:\Internet\IP\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Vidalia] "L:\Internet\IP\TOR\Vidalia\vidalia.exe "
O4 - HKCU\..\Run: [Hide IP Platinum] L:\Internet\IP\HideIPPlatinum\hideippla.exe
O4 - HKCU\..\Run: [TVgenial] "L:\TVGenial\TVgenial.exe" -d
O4 - HKCU\..\Run: [SUPERAntiSpyware] L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] d:\tools\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Skype] "L:\Internet\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Internet\Spy\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Privoxy.lnk = L:\Internet\IP\TOR\Privoxy\privoxy.exe
O8 - Extra context menu item: &Pick-a-Proxy Toolbar - res://L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - L:\Internet\Spy\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - (file missing)
O10 - Unknown file in Winsock LSP: C:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189708859906
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189708832328
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O20 - Winlogon Notify: !SASWinLogon - L:\Internet\Spy\SuperSpy\SASWINLO.dll
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Program Files\Common Files\AVM\de_serv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - L:\ESETNOD\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - L:\Internet\Spy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - L:\Internet\Spy\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\NOPDB.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - L:\Internet\Spy\SpySweeper\SpySweeper.exe


--
End of file - 8725 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 giveio - c:\windows\system32\giveio.sys
R0 isdnlink - c:\windows\system32\drivers\linkisdn.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 AsIO - c:\windows\system32\drivers\asio.sys
R1 SASDIFSV - l:\internet\spy\superspy\sasdifsv.sys
R2 PAR1284 - c:\windows\system32\drivers\par1284.sys <Not Verified; Warp Nine Engineering; IEEE 1284 Driver>
R2 PPNT - c:\windows\system32\drivers\ppnt.sys <Not Verified; Corex Technologies Corp.; CardScan>
R3 Maplom - c:\windows\system32\drivers\maplom.sys <Not Verified; Jacal Consulting; Game Jackal>
R3 SASENUM - l:\internet\spy\superspy\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 USBIO (USB-Casablanca-Link) - c:\windows\system32\drivers\usbio.sys <Not Verified; Thesycon GmbH, Germany; Universal USB Device Driver>
R3 wanlink - c:\windows\system32\drivers\wanlink.sys

S3 cel90xbe - c:\windows\temp\cel90xbe.sys (file missing)
S3 NETFWDSL (AVM FRITZ!web DSL PPP) - c:\windows\system32\drivers\netfwdsl.sys (file missing)
S3 SABProcEnum - l:\internet\mozilla\mozill~1\sabprocenum.sys (file missing)
S3 SunkFilt (Alcor Micro Corp - 9360) - c:\windows\system32\drivers\sunkfilt.sys <Not Verified; Alcor Micro Corp.; SunkFilt>
S3 ulisa (Telekom Eumex x04PC (USB)) - c:\windows\system32\drivers\ulisa.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Speed Disk service - c:\program files\speed disk\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

S3 de_serv (AVM FRITZ!web Routing Service) - c:\program files\common files\avm\de_serv.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2006-05-07 14:20:06 374 --a------ C:\WINDOWS\Tasks\1-Klick-Wartung.job


-- Files created between 2008-03-09 and 2008-04-09 -----------------------------

2008-04-04 21:29:19 3802 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 19:45:04 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-02 19:45:04 4590 --a------ C:\WINDOWS\unins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-04-09 14:44:03 0 d-------- C:\Documents and Settings\Andy\Application Data\Skype
2008-04-09 14:43:37 0 d-------- C:\Documents and Settings\Andy\Application Data\Vidalia
2008-04-09 14:33:30 0 d-------- C:\Documents and Settings\Andy\Application Data\Tor
2008-04-09 11:16:14 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-03-21 12:34:03 0 d-------- C:\Documents and Settings\Andy\Application Data\AdobeUM
2008-03-02 15:28:36 0 d-------- C:\Documents and Settings\Andy\Application Data\Adobe
2008-02-17 14:13:54 0 d-------- C:\Program Files\Common Files
2008-02-15 21:05:15 0 d-------- C:\Documents and Settings\Andy\Application Data\ACD Systems
2008-02-15 13:18:25 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-13 15:22:05 0 d-------- C:\Program Files\Common Files\Logishrd
2008-02-13 15:21:44 0 d-------- C:\Program Files\Common Files\Logitech
2008-02-13 15:21:14 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-06 17:53:42 30 --a------ C:\WINDOWS\system32\memio.dll
2008-02-04 21:26:34 151040 ---hs---- C:\WINDOWS\system32\VistaUltm.dll
2008-02-04 17:15:27 0 --a------ C:\WINDOWS\Infob.dat
2008-02-04 17:15:27 0 --a------ C:\WINDOWS\Infoa.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz "= "nwiz.exe" [22.Oct.06 13:22 C:\WINDOWS\system32\nwiz.exe]
"Sunkist2k "= "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" [17.Dec.03 16:28]
"HPDJ Taskbar Utility "= "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [12.Dec.01 01:33]
"Maplom "= "e:\GameJackal\Maplom.exe" [30.Sep.05 13:19]
"dla "= "C:\WINDOWS\system32\dla\tfswctrl.exe" [03.Aug.04 02:05]
"nod32kui "= "L:\EsetNOD\nod32kui.exe" [15.Mar.07 16:00]
"AVMWlanClient "= "C:\Program Files\avmwlanstick\FRITZWLANMini.exe" [20.Apr.06 16:47]
"pdfSaver3 "=" " []
"WebCam III SetFirst "= "webc3uns setfirst" []
"WebCam Autolaunch "= "webc3lch" []
"Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" [21.Sep.07 04:10 C:\WINDOWS\KHALMNPR.Exe]
"Lector de documentos Doc de Windows "= "CFLMON.EXE" []
"SoundMan "= "SOUNDMAN.EXE" [15.Apr.05 11:01 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" []
"ISUSPM Startup "= "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [16.May.06 12:58]
"ISUSPM "= "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [16.May.06 12:58]
"muBlinder "= "L:\Internet\MU_Blinder\muBlinder.exe" []
"Adobe Reader Speed Launcher "= "L:\Acrobat\Reader\Reader_sl.exe" []
"ZoneAlarm Client "= "L:\Internet\ZoneAlarm\zlclient.exe" [13.Mar.08 23:11]
"NvCplDaemon "= "RUNDLL32.exe" [04.Aug.04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SpySweeper "= "L:\Internet\Spy\SpySweeper\SpySweeperUI.exe" [04.Jan.08 20:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [04.Aug.04 00:56]
"pdfSaver3 "= "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe" [05.Sep.04 18:20]
"H/PC Connection Agent "= "D:\ActiveSync\wcescomm.exe" [26.Jun.06 16:13]
"ProxyWay "= "L:\Internet\IP\ProxyWay\proxyway.exe" []
"Vidalia "= "L:\Internet\IP\TOR\Vidalia\vidalia.exe" [31.Aug.06 01:01]
"Hide IP Platinum "= "L:\Internet\IP\HideIPPlatinum\hideippla.exe" []
"TVgenial "= "L:\TVGenial\TVgenial.exe" []
"SUPERAntiSpyware "= "L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe" [09.Mar.08 18:46]
"Uniblue RegistryBooster 2 "= "d:\tools\RegistryBooster 2\RegistryBooster.exe" []
"Skype "= "L:\Internet\Skype\Phone\Skype.exe" [02.Jul.07 17:10]
"SpybotSD TeaTimer "= "L:\Internet\Spy\Spybot\TeaTimer.exe" [12.May.04 01:03]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [03.Apr.07 23:27:39]
Privoxy.lnk - L:\Internet\IP\TOR\Privoxy\privoxy.exe [20.Nov.06 15:30:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= L:\Internet\Spy\SuperSpy\SASSEH.DLL [20.Dec.06 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
L:\Internet\Spy\SuperSpy\SASWINLO.dll 19.Apr.07 13:41 294912 L:\Internet\Spy\SuperSpy\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 15.Nov.07 11:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=" "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Phone Connection Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Phone Connection Monitor.lnk
backup=C:\WINDOWS\pss\Phone Connection Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfSaver3]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCam Autolaunch]
webc3lch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebCam III SetFirst]
webc3uns setfirst


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b5ee3a63-68cb-11db-aa4a-0013d48d5c56}]
AutoRun\command- S:\pushinst.exe




-- Hosts -----------------------------------------------------------------------

70.85.112.187 simplyrandom.com
70.85.112.187 www.simplyrandom.com


-- End of Deckard's System Scanner: finished at 2008-04-09 14:49:25 ------------

 

Hi Andy,

Glad to hear fixing that HOSTS file stopped the messages. Scan again with HijackThis and place a check next to the following entries.

O2 - BHO: (no name) - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - (no file)
O4 - HKLM\..\Run: [Lector de documentos Doc de Windows] CFLMON.EXE << this one has conflicting search results also. Please search for the CFLMON.exe file and view it properties if found.

Close all other windows then click Fix Checked.


You've also got a rogue service to remove. Click Start>Run and type or paste the following command, then hit enter.

sc delete cel90xbe


Recommend you now run an online scan. Please do an online scan with Kaspersky WebScanner

Click Scan Now and accept the agreement. You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Post the Kaspersky log and one more fresh HijackThis log.

 

Hi,

Done! Whew, what a task.

Ran the HijackThis and deleted the two entries. I checked in the registry and they are gone. Pity I didn't do the same thing before to verify.

The Kaspersky action was a nightmare. It found so many entries (28 pages) that it was impossible to qualify. So I exported the whole report to Word and then deleted all locked and other useless stuff and went through the remaining ones. The worst job was eliminating all the e-mail stuff they found in all backups. The rest are either false positive or not relevant anymore. I will delete these ancient files. I have now checked and found that NOD - which normally gets high marks - does not seem to check Thunderbird e-mails as Outlook is also present. I'll have to look into that.

As I regularly clean out the Temp directory, there are no files to delete.

It is a strange feeling that going through all the reports it seems that your entire life is spread out in front of you )

I hope this looks ok now.

Thank you VERY much for the help and support you have offered.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 10, 2008 17:01:13
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 695693
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\, D:\, E:\, F:\, G:\, H:\, I:\, J:\, K:\, L:\, M:\, R:\, S:\, T:\, U:\, V:\

Scan Statistics:
Total number of scanned objects: 337241
Number of viruses found: 48
Number of infected objects: 186
Number of suspicious objects: 10
Duration of the scan process: 03:12:32

Infected Object Name / Virus Name / Last Action
G:\Setup\Internet\AudioGalaxy\AGSetup0609.exe/fsg-ag.exe Infected: not-a-virus:AdWare.Win32.Gator.3102 skipped
G:\Setup\Internet\IP_Tools\anonymousfriend_27.exe/file4 Infected: Trojan-Downloader.Win32.TSUpdate.d skipped
G:\Setup\Photo\DXPlayer\GDiVXZen1.2.exe/data0005 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
G:\Setup\Tools\UnErase\DataRecoveryWizard_Setup3.0.exe Infected: not-a-virusownloader.Win32.WinFixer.fs skipped
G:\Setup\Tools\Fixes\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
G:\Setup\Tools\Fixes\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
G:\Setup\Tools\Fixes\SmitfraudFix.exe RarSFX: infected - 2 skipped
G:\Setup\Tools\Fixes\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
G:\Setup\CRACKS\lcsrc.zip/lc_cli.exe Infected: not-a-virusSWTool.Win32.MDupdate skipped
G:\Setup\CRACKS\radmin20.zip ZIP: infected - 5 skipped
G:\Setup\CRACKS\Password Revealer\Password_RevelationV2.zip ZIP: infected - 3 skipped
M:\AllElli\LAPTOP\!Dats\Archives\Personal.pst Mail MS Mail: infected - 15 skipped

Scan process completed.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:07:24, on 10.Apr.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
L:\EsetNOD\nod32krn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
L:\Internet\Spy\SpySweeper\SpySweeper.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
E:\GameJackal\Maplom.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
L:\EsetNOD\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
L:\Internet\ZoneAlarm\zlclient.exe
L:\Internet\Spy\SpySweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
D:\ActiveSync\wcescomm.exe
D:\ACTIVE~1\rapimgr.exe
L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
L:\Internet\Spy\Spybot\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
L:\Internet\Spy\SpySweeper\SSU.EXE
D:\Tools\HiJackThis\HijackThis_2008.exe
L:\Internet\Mozilla\Thunderbird\thunderbird.exe
L:\INTERNET\MOZILLA\FIREFOX.EXE
D:\WinCommander\TOTALCMD.EXE
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 196.7.77.238:80
O1 - Hosts: 70.85.112.187 simplyrandom.com
O1 - Hosts: 70.85.112.187 www.simplyrandom.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - L:\Acrobat\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - L:\Internet\Spy\Spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O2 - BHO: (no name) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - (no file)
O2 - BHO: FormFiller Helper - {C0D5D8B0-D626-4C77-8ED4-CFE4C41BCDA1} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O3 - Toolbar: iNetFormFiller Bar - {B9F7135C-B512-4CC3-9316-FA0044083914} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O3 - Toolbar: Pick-a-Proxy Toolbar - {A6790AA5-1213-4567-A46D-0FDAC4EA90EB} - L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe "
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Maplom] e:\GameJackal\Maplom.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [nod32kui] "L:\EsetNOD\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [AVMWlanClient] "C:\Program Files\avmwlanstick\FRITZWLANMini.exe "
O4 - HKLM\..\Run: [WebCam III SetFirst] webc3uns setfirst
O4 - HKLM\..\Run: [WebCam Autolaunch] webc3lch
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKLM\..\Run: [muBlinder] L:\Internet\MU_Blinder\muBlinder.exe -startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "L:\Acrobat\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [ZoneAlarm Client] "L:\Internet\ZoneAlarm\zlclient.exe "
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] L:\Internet\Spy\SpySweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe "
O4 - HKCU\..\Run: [H/PC Connection Agent] "D:\ActiveSync\wcescomm.exe "
O4 - HKCU\..\Run: [ProxyWay] L:\Internet\IP\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [Vidalia] "L:\Internet\IP\TOR\Vidalia\vidalia.exe "
O4 - HKCU\..\Run: [Hide IP Platinum] L:\Internet\IP\HideIPPlatinum\hideippla.exe
O4 - HKCU\..\Run: [TVgenial] "L:\TVGenial\TVgenial.exe" -d
O4 - HKCU\..\Run: [SUPERAntiSpyware] L:\Internet\Spy\SuperSpy\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] d:\tools\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Skype] "L:\Internet\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] L:\Internet\Spy\Spybot\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Privoxy.lnk = L:\Internet\IP\TOR\Privoxy\privoxy.exe
O8 - Extra context menu item: &Pick-a-Proxy Toolbar - res://L:\Internet\IP\Pick-a-Proxy Toolbar\PLOToolbar.dll/MENUSEARCH.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - L:\Internet\Spy\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: iNetFormFiller Bar - {8B393324-2563-4E7A-B272-859BE0D2BA11} - L:\Internet\FORMFI~1\INETFO~1\FORMFI~1.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189708859906
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189708832328
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - L:\Internet\Spy\SuperSpy\SASWINLO.dll
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - Unknown owner - C:\Program Files\Common Files\AVM\de_serv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - L:\EsetNOD\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - L:\Internet\Spy\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - L:\Internet\Spy\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - L:\Internet\Spy\SpySweeper\SpySweeper.exe

--
End of file - 9041 bytes

 

Fix the following with HijackThis.

O2 - BHO: (no name) - {AC41D38F-B56D-40AD-94E0-B493D130C959} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.5.0_11) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -


Is that Kaspersky log what remains after you went through everything? Suggest running the scan again, then post a fresh log (unedited please).

 

OK, thanks a million for the help. I can't say that often enough!!!!

I deleted the entries you pointed out. Java seems to love its outdated versions.

I did another scan with Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 19, 2008 18:57:33
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/04/2008
Kaspersky Anti-Virus database records: 640654
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
R:\
S:\
T:\
U:\
V:\

Scan Statistics:
Total number of scanned objects: 335204
Number of viruses found: 25
Number of infected objects: 35
Number of suspicious objects: 1
Duration of the scan process: 01:20:37

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Andy\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\cert8.db Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\history.dat Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\key3.db Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\parent.lock Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\call256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chat512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chat8192.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\index2.dat Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\profile16384.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\transfer256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\user1024.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\user16384.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Skype\andybonn\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Andy\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\AppLogs\SUPERANTISPYWARE-4-19-2008( 13-34-8 ).LOG Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\abook.mab Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\cert8.db Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\impab-1.mab Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\impab-2.mab Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\impab-3.mab Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\impab.mab Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\key3.db Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\Local Folders\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\Local Folders\Sent.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\Local Folders\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-1.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-1.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-1.de\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-1.de\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-2.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1-2.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1.de\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.1und1.de\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.gmx.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.gmx.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.mail.yahoo-1.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.mail.yahoo-1.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.mail.yahoo.com\Inbox.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\Mail\pop.mail.yahoo.com\Trash.msf Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\panacea.dat Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\parent.lock Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Thunderbird\Profiles\32ela5it.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Andy\Application Data\Webroot\Spy Sweeper\Logs\080419133408.ses Object is locked skipped
C:\Documents and Settings\Andy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Application Data\Mozilla\Firefox\Profiles\qafyajyf.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\History\History.IE5\MSHist012008041920080420\index.dat Object is locked skipped
C:\Documents and Settings\Andy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andy\ntuser.dat Object is locked skipped
C:\Documents and Settings\Andy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS006278BC-E7C0-47E4-B8EA-8195C0EA51FD.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0335EB82-0281-4E30-A1AD-34AB7226AB98.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS04092141-BD13-426B-968F-A45241476524.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS08BF0B27-0972-45F9-A183-C32D7A471A36.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0976614E-9AE7-4846-96D5-E4285F756B97.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0BA3B23C-A738-44F9-98FD-A15E9A8EDC3B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0DC00852-28BF-441B-8D35-4E2F5F93C45E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS0E140ABD-E01B-4EEF-93F8-075C87B1BF05.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS11DFD295-ECCB-4C8E-B7AA-3F7DBE723052.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS19D77014-7349-4BA3-B1AF-3A198ECF31E8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1A05B60E-7313-45B2-BF51-0FF564D5FA04.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1A129DAD-5569-41F9-8D86-8EA074638D28.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1D9F26C6-FD97-4410-BDB0-9057E0EE843B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS1DDEE72B-A1BD-434C-932E-7DE721893DCA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS223AFB4A-FB60-443F-A373-8C9A2AE06C76.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS282695B2-59B3-46D8-9BE3-4DED58C352EC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2AB1BB71-5E01-4204-9C86-BD93F6BD1274.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS2FC272C0-F7C2-4129-803E-81BB1F0447EE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS348BA4A6-37C0-4078-885D-C10C711D9C4E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS367275F7-F8F4-4FED-A12C-1DCE7C16EF7E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3971DDD6-6E2B-4C03-B39D-E1CE02452342.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS3D0E3409-57C7-4D4E-BAE9-0A8CC91C6AFF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS41403704-F1A6-4E7B-8090-01B5F9C9E332.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4A00D60B-BF89-4B82-88CF-CDA2A3C5B6EF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS4DB62A4B-DAAE-43E3-AA3C-70F954C92C15.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5325FC07-73E9-4BB8-AB22-32195C893C4E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS556942E6-64C4-4800-AB33-CEF0718FF539.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS57BC7AC7-B03F-4815-9D69-E78D36464AAF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS59FDEFD7-D3A3-431E-B4EF-9380E205BDCF.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS5E6F6F28-1B5E-4E0F-A332-9F965EA9E2B8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS61042A2B-7B50-455E-99DD-87184DC65B2F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6108C0E8-EBBA-4603-929A-691DAB4E1992.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6733C709-B969-4899-8B5C-7E0C16300811.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS67AA182D-57D6-4EE8-98B4-A3BD7827A785.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS6FEAB2E3-D04D-41A2-A2E3-DCEECEF0CDD2.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS70624AE5-4DEF-4316-BB75-A24E7E6FF608.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS725D64C8-A997-4746-A02A-DB5234D82D3C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS7453A1AA-4710-40BA-A475-055DC6CDE559.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS786F269B-127A-49C5-999B-68A3B4F7EE23.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS80FBCC99-A512-4CC7-B015-3C510C897393.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8369CDD2-1E96-447A-BB5C-D9BAE8DC17B5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89543673-0ED9-41D5-8A71-086E18DCB627.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS89D19CB6-355F-46C7-8CF1-F5110E5540EE.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8CEEFA76-06B0-4312-BE50-0B89311746BC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8D95F241-8280-4457-BDCB-BB9F8AB4B166.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8F32529C-35D7-4522-B80B-CB9603498EE5.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS8FD96BE2-AD1D-4F89-B57C-3A5F5991A380.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS972E2488-44BB-4A03-8941-96A8363128B1.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9AEDFCC6-962E-4BF2-80F4-0A60C8E9E694.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9D74D549-E1E1-4228-9078-3F4BAEC4E809.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMS9E77FFA4-6821-4957-B60C-214735C32015.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA2785BC0-D90A-4C14-A271-6D4C88009F3F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA5A138E8-D114-4F4E-8A11-64B12FDDF62A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA6007E5C-3FC6-4D33-A2AB-D4391FE8D38E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA7EE7E42-DE69-4DD0-98DE-3067384A807C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSA89A1194-D028-492B-B4C9-A23C2A4F905B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSAA433955-6A84-4574-9A07-0B79668DB18E.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB264D537-F495-4DF6-9354-1585EA40C4F4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB35393D9-C7BB-48D6-AEEB-6E7FDD5233C3.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB4C58289-8ECC-43DF-B11F-3B688FB0DE29.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSB879B499-84F9-46CF-9C13-FAD5FAE63E2C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBA810BFF-045E-4A87-975E-00ECA7FB849F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBC7DFA00-B591-412F-889D-9B66A4EBCD8B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBCA773E4-F718-40DD-B69B-E8F08EDE11AC.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBCC07134-0FFD-4968-AD6D-64F1474D385A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSBD8BF150-EF63-4CDB-A226-AE9B49EEB924.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC0C004DE-4C25-4C25-869C-AE3716F74368.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC4D3E7B4-E1EA-4F82-92B7-5CA8E3B8D27F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSC51B6045-CE8D-4E29-A528-F13F699E319F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCA09B232-FFCE-47ED-A146-25B4980C1FA0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCDB0EBB5-A0AD-4B44-8057-A1F26B10AF47.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCDBF5511-B749-4F4D-8B5B-7E22193F8958.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCF21F55B-E399-4E7D-829A-8510DE040C2C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSCFEA9CDB-4FE1-4263-87E1-0B8B3B9CE74C.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD4137638-1AB4-473C-BCC7-808CC00A1945.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD727D05A-F863-4A3D-AA85-D93AB9A73128.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSD98F32C1-A345-480E-806A-5FF23A675F1B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDA417A40-8763-46AE-B998-8F19F0C528B4.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDE04B9BE-DC4C-43D7-A554-7DF75DFDBB6F.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDE6F5264-8303-4F89-BDC3-70DAF4999404.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSDEEFBF4B-6D4C-489B-84A2-9FC3F0F244C0.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSE209F9EB-5BD0-49D1-B2A9-A0622E95B08A.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSEC8E6692-A756-4DA2-A64E-5102474EE665.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF1EE3862-83AB-4320-90B3-7E1993EE5F16.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF26C36FD-F47A-48B8-B43F-2374788F28DA.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSF416BCF3-CA9B-42AF-9979-73E3435DB855.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFC2BC162-4F70-4482-B9E4-820785D45DE8.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFC3F5D9A-CC1A-411E-A282-F9B90DA29A1D.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSMSFD4BC193-A174-4589-B705-E79C3E74EE0B.tmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Log.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\ANDY.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\WCESLog.log Object is locked skipped
C:\WINDOWS\Temp\ZLT04e88.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT04e8b.TMP Object is locked skipped
C:\WINDOWS\Temp\~DFD6E3.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\SavesAnanke\Dokumente und Einstellungen\me\Anwendungsdaten\AVG7\QUEUE\TEMP\26B28E7990.emc Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
L:\ESETNOD\logs\virlog.dat Object is locked skipped
L:\ESETNOD\logs\warnlog.dat Object is locked skipped
L:\ESETNOD\cache\CACHE.NDB Object is locked skipped
L:\ESETNOD\infected\1ZAQUQDA.NQF Infected: Trojan-Proxy.Win32.Horst.pg skipped
L:\ESETNOD\infected\MWQL5EAA.NQF Infected: Email-Worm.Win32.Warezov.fh skipped
L:\ESETNOD\infected\V4ZATPBA.NQF Infected: Email-Worm.Win32.Warezov.fh skipped
L:\ESETNOD\infected\1SPMBRAA.NQF Infected: Trojan.Win32.Dialer.cj skipped
L:\ESETNOD\infected\OQWHQ0BA.NQF Infected: Trojan.Win32.Dialer.cj skipped
L:\ESETNOD\infected\HIC1XCCA.NQF Infected: Email-Worm.Win32.Warezov.fb skipped
L:\ESETNOD\infected\1A3BSWDA.NQF Infected: Trojan-Downloader.Win32.Small.gcx skipped
L:\ESETNOD\infected\YU10OIBA.NQF Infected: Email-Worm.Win32.Luder.a skipped
L:\ESETNOD\infected\VASD5EBA.NQF Infected: Email-Worm.Win32.Warezov.pk skipped
L:\ESETNOD\infected\45ZX4BBA.NQF Infected: Trojan-Downloader.Win32.Small.dam skipped
L:\ESETNOD\infected\MQ3Q22BA.NQF Infected: Email-Worm.Win32.Zhelatin.a skipped
L:\ESETNOD\infected\0AWEABDA.NQF Infected: Email-Worm.Win32.Zhelatin.a skipped
L:\ESETNOD\infected\Z0MUJWBA.NQF Infected: Trojan-Proxy.Win32.Lager.dp skipped
L:\ESETNOD\infected\K35WDXAA.NQF Infected: Trojan-Downloader.Win32.Small.ciw skipped
L:\ESETNOD\infected\UPG0VSAA.NQF Infected: Email-Worm.Win32.Banwarum.l skipped
L:\ESETNOD\infected\RH2BDODA.NQF Infected: Email-Worm.Win32.Banwarum.l skipped
L:\ESETNOD\infected\0LRS5TCA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\BZP3ZBAA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\Q3TLA4AA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\MMWFHDBA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\H2SKKYAA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\WHS2TMBA.NQF Infected: Email-Worm.Win32.Zhelatin.h skipped
L:\ESETNOD\infected\WYR35UCA.NQF Infected: Email-Worm.Win32.Zhelatin.k skipped
L:\ESETNOD\infected\EK44FQCA.NQF Infected: Email-Worm.Win32.Zhelatin.k skipped
L:\ESETNOD\infected\OC2ZOHBA.NQF Infected: Trojan-Downloader.Win32.Tibs.jr skipped
L:\ESETNOD\infected\SI5B3UBA.NQF Infected: Trojan-Downloader.Win32.Tibs.kj skipped
L:\ESETNOD\infected\WTMGPFDA.NQF Infected: Trojan-Downloader.Win32.Nurech.ah skipped
L:\ESETNOD\infected\LS4Y4XBA.NQF Infected: Trojan-Downloader.Win32.Nurech.ai skipped
L:\ESETNOD\infected\LZ4W2NCA.NQF Infected: Trojan-Downloader.Win32.Nurech.ak skipped
L:\ESETNOD\infected\WE3JLMCA.NQF Infected: Trojan-Downloader.Win32.Nurech.ao skipped
L:\ESETNOD\infected\NAP054AA.NQF Infected: Email-Worm.Win32.Zhelatin.u skipped
L:\ESETNOD\infected\H4GWRICA.NQF Infected: Email-Worm.Win32.Zhelatin.u skipped
L:\ESETNOD\infected\BG54TFCA.NQF Infected: Backdoor.Win32.Bifrose.aeg skipped
L:\ESETNOD\infected\PPA51VAA.NQF Infected: Trojan-PSW.Win32.OnLineGames.zc skipped
L:\ESETNOD\infected\DFC1BPDA.NQF Infected: Email-Worm.Win32.NetSky.q skipped
L:\Internet\Spy\SpySweeper\Masters\masters.bak Object is locked skipped
L:\Internet\Spy\SpySweeper\Masters\masters.mst Object is locked skipped
L:\Internet\Spy\SpySweeper\Masters\Masters.const Object is locked skipped
L:\Internet\Spy\SpySweeper\Masters.base Object is locked skipped

Scan process completed.

 

Hi Andy,

H:\SavesAnanke\Dokumente und Einstellungen\me\Anwendungsdaten\AVG7\QUEUE\TEMP\26B28E7990.emc << not sure what this one is, but it is infected. Are those backups located in the H: drive?

L:\ESETNOD\infected << this folder is full of infected files (quarantined) ... delete everything in the folder.


You did not scan archives and email though, so I can't say if anything remains or not.

Make sure to empty the recycle bin after deleting the infected files. How's the computer behaving now?

 

Thanks for the feedback.

The mentioned files are a) the wife's saves directory which contains the AVG quarantine area.

The same goes for b) my NOD quarantine. Those are safe and will get deleted.

The mails I excluded as they bring up all the jokes and pranks from decades of saved mails, which are multiplied as I used Outlook and have switched to Thunderbird 2 years ago, which imported everything from Outlook. That's why in the first run of the online scan, I got hundreds of entries.

All is quiet for now.

Thank you for your help - and I have learned quite a lot in the last weeks. In the future I will run regular scans and try to learn how to interpret the logs correctly. So I guess I'll be back here with a question or two regarding log entries and their respective impact on a system.

Thank you for your time and skills in helping solve a big problem!

//Andy

 

Help! Deckard has collected files...

Help!

I have no idea what I pressed, but all of a sudden I can't execute my Game-on-Demand package. I ran a search and found the ocx in c:\Deckard in some backup directory. Once there I found hundreds of files which were in mails and in directories, all of which I intended to keep.

I ran DSS again, but found no interaction possibility.

Is there any way to reverse the file collection and put them back where they came from?

Thanks.

 

The ocx file would have likely come from the C:\Windows\Downloaded Program Files folder ...... dss removes certain filetypes from that location due to them often being rogue. You can put that one back. Other than that, there should only be temp files that were removed. Are you quite sure those aren't just tmp files?

 

Thanks. Yes, they are .ocx and indeed, they seem to fit the description of that address. I put them back and lo and behold, the server is responding.

In the meantime, I have just found a .txt file which lists all the moved files, and yes, most are from \temp\ and I now checked, the "rogues" do belong into the downloaded directory and the rest are all tmp's. Phew. I just hope that nothing else was changed.

I would have appreciated a warning...

 

Can you give me the name of that ocx, or better yet, upload it to my submission channel? Maybe we can get it whitelisted.

Everything else OK now?

 

Hi,

With pleasure.

ExentCtl.ocx <Verified; Exent Technologies Ltd.; ExentCtl Module>
hyplug.ocx <Not Verified; Hypnotizer; hypnotizer.player>

They belong to the Metaboli-Player (EXEtender-Player)

"Exent-powered Games-on-Demand service are delivered to a computer through the EXEtender player." on www.exent.com

Thanks
//Andy

 

Thanks Andy. I've submitted those to the developer.

Can this topic be tagged resolved now?

 

Yes, by all means.

Thank you for your time, knowledge and help!

 

You're most welcome. Glad I could help.