Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP

Unread postby aaiibn » August 23rd, 2006, 11:32 pm

Logfile of HijackThis v1.99.1
Scan saved at 11:22:50 PM, on 8/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\rcss.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\conime.exe
C:\WINDOWS\rundll.exe
c:\program files\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\i\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\flashget\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\flashget\jc_all.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/c ... grt5_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt1_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - ms-its:mhtml:file://c:\nesuned.mht!http://adgate.info/zscript/dra.chm::/3138302D2D2D.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - ms-its:mhtml:file://c:\nesunew.mht!http://adgate.info/zscript/winfix.chm::/SystemDoctor2006FreeInstall.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\TEMP\sklrr7y8672723.exe (file missing)
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm
Advertisement
Register to Remove

Unread postby hillbillycj » August 24th, 2006, 7:29 am

Hi aaiibn :)

I'm hillbillycj and I will be glad to help you with your computer problems.
HiJack This logs can take some time to research and I will get back to you shortly.

As an Undergraduate helper, my responses to you have to be checked by the instructors, which takes a little extra time.

Thanks for your patience and understanding :D

Hillbillycj
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby hillbillycj » August 25th, 2006, 8:19 pm

Hi aaiibn :D

Sorry for the delay in getting back to you, you appear to have a lot going on in your log.

First I need you to show Hidden files and Folders like this:

Click on Start then My Computer. On the tool bar at the top of the window choose:
  • Tools
  • Now choose Folder Options from the pull down menu
  • Click on View.
  • Click on Show Hidden Files and Folders
  • Click on Apply
  • Click on OK



Please visit http://virusscan.jotti.org/
Click on Browse... and navigate to the following file: C:\Windows\Rundll.exe
Click Open
Please let me know the results.

Do the same with C:\Windows\system32\conime.exe
Again, let me know the results.

The next step is just a precaution...

This line in your HJT log:

O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe

Got my heart pumping :) Click on the following link for more information.

http://www.castlecops.com/o23list-1924.html

Don't be alarmed but... I want you to download RootKit Revealer from HERE

Follow the instructions on the site and post the log in your next post.

We won't proceed further until I know one way or the other.

To recap, I need the Jotti results on those 2 files

The Rootkit Revealer log. Thanks.

Hillbillycj
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby aaiibn » August 25th, 2006, 11:27 pm

yo how do i no if i still have the virus because my mcafee antivirus kept on poping up and said that it deleted virus after virus is there anyway i can check?
thanx for ur help
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm

Unread postby hillbillycj » August 26th, 2006, 11:32 am

Hi aaiibn

To answer your question, you may have a rootkit installed, it is VERY important that we get rid of that first, then we can fix the rest. I need that RKR log as soon as you can. The virus, all in good time.

Thanks.

HCJ
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby aaiibn » August 26th, 2006, 10:32 pm

What is the RKR log, I'm sorry I'm not very good with computers.
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm

Unread postby hillbillycj » August 27th, 2006, 8:41 pm

Hi aaiibn :D

I need you to follow the instructions detailed for you below. In the order given:


1. First I need you to show Hidden files and Folders like this:

Click on Start then My Computer. On the tool bar at the top of the window choose:
  • Tools
  • Now choose Folder Options from the pull down menu
  • Click on View.
  • Click on Show Hidden Files and Folders
  • Click on Apply
  • Click on OK



2. Next Please visit: (just click on the blue link here your browser will open up a new window and take you there)

http://virusscan.jotti.org/

When your Browser window opens click on Browse... and navigate to the following file:

C:\Windows\Rundll.exe

Click Open then Submit

Allow Jotti to run that file (rundll.exe) through it's virus checkers

Please let me know the results. It will tell you if it is infected or not.

Do exactly the same with

C:\Windows\system32\conime.exe

Again, let me know the results.

3.)The next step is just a precaution...

These lines in your HiJack This log:

O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\TEMP\sklrr7y8672723.exe (file missing)

Indicates that you have the latest Hacker Defender rootkit infection

I want you to download RootKit Revealer from http://www.sysinternals.com/Utilities/RootkitRevealer.html (Again, just click on the blue link here your browser will open up a new window and take you there)

Please read the instructions and information, even better print them. Download the file to your desktop.
  • Create a folder C:\RKR clicking on Start then My Computer then double clickLocal Disk C:
  • A window will open showing you the contents of your C:\ folder.
  • You should see folders such as Windows, and Program Files. Right click anywhere in that open window and choose New
  • Click on Folder, now type in the name RKR then hit the enter key.
  • Close that window by clicking on the X at the top right hand corner of the window.

Double click on the Rootkit Revealer Icon. The file is a zip file, which windows XP will unzip for you.
save the unzipped file to C:\RKR the folder you just created.
  • Now click on Start then My Computer the double click on Local Disk C.
  • Double click on the folder RKR.
  • Double click on the Rootkit Revealer Icon (looks like the skull and crossbones with a magnifying glass over it)
  • A window will open. Click on the box on the bottom right side marked Scan
  • Allow the program to work. A log will appear in the box.
  • At the top of the window you see the word File. Click on it.
  • Click on Save
  • Another window will open with the file name rootkitreveal
  • Click on the icon which looks like a file with a green arrow on it. Keep clicking on it till it won't go any more.
  • You should now be at C:\
  • Double click on the folder "Documents and Settings"
  • Now double click on the folder which has your account name next to it
  • Now double click on the folder marked Desktop
  • Now click on Save save as Text
  • Close Rootkit Revealer
  • Double click on that new folder. The report will open up in Notepad
  • Right click anywhere in the notepad window.
  • Choose Select All
  • Right click in the window again and choose Copy
  • Go online and open up your thread.
  • Click on Post Reply
  • Right click in the reply window and choose paste


Your Rootkit Revealer (RKR)log is now ready for submission.
Don't forget to include Jotti results for the two files I asked for.

Thanks :D

Hillbillycj
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby aaiibn » August 27th, 2006, 10:52 pm

Heres the Rootkit
HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6\ProductName 2/14/2006 11:07 PM 26 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}\DisplayName 2/14/2006 11:09 PM 26 bytes Data mismatch between Windows API and raw hive data.
C:\Documents and Settings\i\Application Data\Aim\zejxhwhk\aaiibn\urlcache\aim85.tmp 8/27/2006 10:13 PM 437 bytes Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\i\Application Data\Aim\zejxhwhk\aaiibn\urlcache\aim88.tmp 8/27/2006 10:43 PM 437 bytes Hidden from Windows API.
C:\Documents and Settings\i\Cookies\i@sdc.mcafee[1].txt 8/27/2006 10:45 PM 144 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\160x600_BlueCalc[1].gif 8/27/2006 10:39 PM 470 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\button-big-blue-down[1].gif 8/27/2006 10:45 PM 232 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\CAE3G16Z.gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\CAWPULL6.gif 8/27/2006 10:37 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\common[1].css 8/27/2006 10:44 PM 10.40 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\23MB0JQ9\segment[1].css 8/27/2006 10:44 PM 10.81 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\160x600_BlueHeader[1].gif 8/27/2006 10:39 PM 1.86 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\bkgrd-btn-standard[1].gif 8/27/2006 10:45 PM 66 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\CAMVEFE1.gif 8/27/2006 10:37 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\CAQNMZ2X.gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\threatcenter[1].css 8/27/2006 10:45 PM 425 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\4FY9UDU7\virusSearchForm[1].js 8/27/2006 10:44 PM 595 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\a[1] 8/27/2006 10:39 PM 1.20 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\bkgrd-angle-personal[1].gif 8/27/2006 10:45 PM 1.64 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\catalog[1].css 8/27/2006 10:45 PM 222 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\slash-lt_gray[1].gif 8/27/2006 10:45 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\sports.yahoo[2] 8/27/2006 8:29 PM 82.17 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\thumb.getty-71621711jf012_jeld_wen_trad_10_32_26_pm[1].jpg 8/27/2006 10:37 PM 6.91 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\thumb.getty-71621711jf017_jeld_wen_trad_10_32_48_pm[1].jpg 8/27/2006 10:37 PM 8.70 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\thumb.getty-71621711jf024_jeld_wen_trad_10_31_21_pm[1].jpg 8/27/2006 10:37 PM 7.03 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\6170HWZ2\validateEmail[1].js 8/27/2006 10:44 PM 943 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\20060617infinityglobal[1].js 8/27/2006 10:37 PM 3.02 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\bd1010_1x1_1[1].gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\bkgrd_angled_right_hho[1].gif 8/27/2006 10:45 PM 342 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\category[1].css 8/27/2006 10:45 PM 179 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\CAUT7XWK.gif 8/27/2006 10:39 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\CAY7SRJ8.gif 8/27/2006 10:45 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\BV5ZNPOW\execute_selection[1].js 8/27/2006 10:44 PM 482 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\a[1] 8/27/2006 10:37 PM 1.20 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\a[2] 8/27/2006 10:39 PM 1.12 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\bkgrd_angled_left_hho[1].gif 8/27/2006 10:45 PM 267 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\exceptions[1].css 8/27/2006 10:44 PM 3.82 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\pricePlan[1].js 8/27/2006 10:44 PM 2.05 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\C94HA3G1\slash-blue[1].gif 8/27/2006 10:45 PM 95 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\6a1112_1x1_1[1].gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\clear[1].gif 8/27/2006 10:45 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\default[3].css 8/27/2006 10:44 PM 337 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\domain[1].xml 8/27/2006 10:37 PM 640 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\downloads[1].css 8/27/2006 10:45 PM 119 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\CLYBW1YR\sea[1].gif 8/27/2006 10:38 PM 2.07 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\999999_1x1_1[1].gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\crossdomain[2].xml 8/27/2006 10:37 PM 639 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\fm[1].htm 8/27/2006 10:39 PM 16.34 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\lang[1].css 8/27/2006 10:44 PM 790 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\table[1].css 8/27/2006 10:45 PM 2.78 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GLAZOHWN\virusInfo[1].css 8/27/2006 10:45 PM 1.54 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GP63KRI5\icn_arrow_4x7[1].gif 8/27/2006 10:45 PM 49 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GP63KRI5\runapplications[1].css 8/27/2006 10:45 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GP63KRI5\standings[2] 8/27/2006 10:39 PM 40.27 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\GP63KRI5\virusMap_135x79[1].gif 8/27/2006 10:45 PM 4.74 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\2[3].html 8/27/2006 10:37 PM 25.77 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\a[1] 8/27/2006 10:38 PM 1.26 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\arrow-small-blue-right[1].gif 8/27/2006 10:45 PM 67 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\CAKP2VY7.gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\cart-empty[1].gif 8/27/2006 10:45 PM 221 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\form[1].css 8/27/2006 10:44 PM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\google[1] 8/27/2006 10:13 PM 4.88 KB Visible in Windows API, but not in MFT or directory index.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\homepage[1].css 8/27/2006 10:45 PM 11.54 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\MTSRIXU1\tabs[1].js 8/27/2006 10:44 PM 739 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\160x600_BlueShop[1].gif 8/27/2006 10:39 PM 524 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\a[1] 8/27/2006 10:37 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\bullet_risk_low_7x7[1].gif 8/27/2006 10:45 PM 62 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\CAFUH0P1.gif 8/27/2006 10:38 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\layout[1].css 8/27/2006 10:44 PM 5.60 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O92745UZ\nav[1].css 8/27/2006 10:44 PM 12.16 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\bkgrd-angle-segment-right[1].gif 8/27/2006 10:45 PM 180 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\bkgrd_header_hho[1].gif 8/27/2006 10:45 PM 598 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\catalogmenuselect[1].js 8/27/2006 10:44 PM 824 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\google[2] 8/27/2006 10:37 PM 4.88 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\hholanding[1].css 8/27/2006 10:45 PM 3.14 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\O9QJ4XQN\recap;_ylt=AvglTz666ylANGGYDJGu6[1].htm 8/27/2006 10:39 PM 44.63 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\7398[2] 8/27/2006 10:38 PM 56.51 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\bkgrd-grad-e7ece4x60[1].gif 8/27/2006 10:45 PM 279 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\bkgrd_nav_section_hho[1].gif 8/27/2006 10:45 PM 68 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\frameRemoval[1].js 8/27/2006 10:44 PM 159 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\product[1].css 8/27/2006 10:45 PM 5.88 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\RAW3RDGD\sports.yahoo[1] 8/27/2006 10:37 PM 82.18 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\bkgrd-angle-segment-left[1].gif 8/27/2006 10:45 PM 182 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\CANTXNM2.gif 8/27/2006 10:39 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\ct_yad_040901[1].js 8/27/2006 10:37 PM 1.81 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\default[1].asp 8/27/2006 10:44 PM 25.03 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\externalMapWin[1].js 8/27/2006 10:45 PM 208 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\openWindow[1].js 8/27/2006 10:44 PM 2.94 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\UJQXYZOJ\Sitewise[1].js 8/27/2006 10:45 PM 4.28 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\062306_728x90CM[1].swf 8/27/2006 10:37 PM 30.62 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\alerts[1].css 8/27/2006 10:44 PM 1.00 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\button-blue-right[1].gif 8/27/2006 10:45 PM 214 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\capt.60a6d410966348419ea5d85ea48cf0de.red_sox_mariners_baseball_wajf116[1].jpg 8/27/2006 10:37 PM 33.04 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\hover[1].htc 8/27/2006 10:45 PM 1.00 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\logo[3].gif 8/27/2006 10:45 PM 2.05 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WPE3SD2Z\thumb.854ae608534242599d3122d76f474984.red_sox_mariners_baseball_wajf117[1].jpg 8/27/2006 10:37 PM 14.15 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\7398[1].jpg 8/27/2006 10:38 PM 2.30 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\a[1].xml 8/27/2006 10:39 PM 1.76 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\infinity2_lrec_light_v2_071206[1].swf 8/27/2006 10:37 PM 12.89 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\navSelector[1].js 8/27/2006 10:44 PM 2.19 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\purchaseWizard[1].css 8/27/2006 10:45 PM 806 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\WRXFIMNX\search[1].css 8/27/2006 10:45 PM 1.79 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\a[1] 8/27/2006 10:38 PM 1.24 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\CA32OV35.gif 8/27/2006 10:39 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\identitytheft[1].css 8/27/2006 10:45 PM 3.97 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\recap;_ylt=AvglTz666ylANGGYDJGu6[1].w5nYcB 8/27/2006 10:37 PM 11.11 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\upgradeCenter[1].css 8/27/2006 10:45 PM 12.32 KB Hidden from Windows API.
C:\Documents and Settings\i\Local Settings\Temporary Internet Files\Content.IE5\YBCDKLS5\virus[1].css 8/27/2006 10:44 PM 180 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\Recent 8/27/2006 10:35 PM 0 bytes Hidden from Windows API.
C:\Documents and Settings\LocalService\Recent\Desktop.ini 8/27/2006 10:35 PM 150 bytes Hidden from Windows API.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP121\A0058794.old 8/27/2006 10:46 PM 126 bytes Hidden from Windows API.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0046982.exe 6/21/2006 3:19 PM 11.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0046983.exe 6/21/2006 3:19 PM 56.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0047008.exe 6/21/2006 3:21 PM 108.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0047010.exe 6/21/2006 3:20 PM 457.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0047011.exe 6/21/2006 3:21 PM 380.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP84\A0047012.exe 6/15/2006 6:39 PM 128.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0047059.exe 6/21/2006 5:15 PM 56.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0048051.exe 6/22/2006 1:33 PM 24.52 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049131.exe 6/22/2006 1:33 PM 56.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049132.exe 6/14/2006 10:01 PM 394.33 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049137.exe 6/23/2006 10:57 AM 112.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049143.exe 6/22/2006 8:33 AM 108.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049144.exe 6/22/2006 8:32 AM 457.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049145.exe 6/22/2006 8:33 AM 380.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049146.exe 6/22/2006 6:51 PM 7.61 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049147.exe 6/22/2006 1:42 PM 24.52 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049148.EXE 6/22/2006 8:32 AM 260.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049149.exe 6/21/2006 3:20 PM 29.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049150.exe 6/21/2006 3:20 PM 14.50 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049151.exe 6/21/2006 3:19 PM 302.85 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049152.exe 6/21/2006 3:20 PM 565.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049153.exe 6/21/2006 3:21 PM 292.60 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049154.exe 6/21/2006 3:22 PM 1.99 MB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049168.exe 6/21/2006 3:19 PM 11.48 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049169.exe 6/22/2006 6:51 PM 7.61 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049170.exe 6/21/2006 3:21 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049171.exe 6/22/2006 1:33 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049172.exe 6/21/2006 3:21 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049173.exe 6/22/2006 1:33 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049174.exe 6/21/2006 3:20 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049175.exe 6/21/2006 3:22 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049176.exe 6/22/2006 1:33 PM 16.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049177.exe 6/21/2006 3:19 PM 28.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP85\A0049178.exe 6/21/2006 3:20 PM 48.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP87\A0049262.exe 6/22/2006 6:51 PM 17.47 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP87\A0049263.exe 6/22/2006 6:51 PM 17.47 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\_restore{949F37F5-EEEA-4F48-AFF3-023E9721608E}\RP90\A0050332.exe 6/21/2006 5:15 PM 11.50 KB Visible in Windows API, but not in MFT or directory index.
C:\WINDOWS\Prefetch\MGHTML.EXE-31D79FA5.pf 8/27/2006 10:43 PM 51.29 KB Hidden from Windows API.


File: Rundll.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only flagged as malware by heuristic detection(s). This might be a false positive. Therefore, results of this scan will not be stored in the database)
MD5 31228613b11cdb776fc821fe4afa0c8f
Packers detected: -
Scanner results
AntiVir Found Heuristic/Crypted.RZO (probable variant)
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Service load: 0% 100%

File: conime.exe
Status: OK
MD5 4ccf9182fe0be9cc2992f8a9e361cc49
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing

File: conime.exe
Status: OK
MD5 4ccf9182fe0be9cc2992f8a9e361cc49
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm

Unread postby aaiibn » August 27th, 2006, 10:53 pm

woops sorry i posted one of them twice
and by the way my norton antivirus keeps on poping up saying that it deleted this virus and that virus, is it doing its job?
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm

Unread postby hillbillycj » August 28th, 2006, 11:03 am

Hi aaiibn :)

Thanks for the Jotti results and the RKR log.

Yes Norton is doing it's job, however because of the nature of the rootkit, which is designed to hide both itself and it's payload (the malware infection) from view. That means whatever viral or malware infection you have, it regenerates itself every time you delete it. I'll get back with you once I have had a chance to analyse the log.

Hang in there...

HCJ
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby hillbillycj » August 28th, 2006, 7:40 pm

Hi aaiibn

The Rootkit Revealler scan did not show up anything. Go ahead and delete the RootKit Revealer zip file from your desktop, and the log too. Right click on each icon in turn and choose delete.

Now click on Start then My Computer then double click Local Disk C:

Right click on the RKR folder and choose delete.

Let's download another tool: GMER


Please run a GMER Rootkit scan:

Download GMER's application from here (just click on the link like before):

http://www.gmer.net/gmer.zip

Save it to your desktop.

Click on Start then My Computer then double click Local Disk C:

Now right click anywhere ion the open window and choose New then Folder Type in GMER and hit the Enter key.

Unzip the GMER zip file by double clicking on the desktop icon and save it to the GMER folder you just made.

Click on Start then My Computer then double click Local Disk C:

Locate the GMER folder and double click the GMER.exe file

Click the Rootkit tab and click the Scan button.

IMPORTANT: Do NOT use the computer while the scan is in progress.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

If you're having problems with running GMER.exe, try it in safe mode.
This tools works in safe mode. Other rootkitrevealers don't.

If you are having problems getting GMER to run in normal mode, get into SAFE MODE like this:
Reboot into SAFE MODE

    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.


Post the GMER log in your next post please.

Thanks :)

HCJ
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby aaiibn » August 29th, 2006, 1:02 am

its not posting period can i email it to you, everytime i try to post it says error cannot post debugging, so can u give me ur email adress and i'll try to email it to you.
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm

Unread postby hillbillycj » August 29th, 2006, 11:54 am

Hi aaiibn

I see you are a Freshman now. :thumbright: Welcome aboard. Now you get to see just what all this is about. :D

My mentor has suggested going here:

http://pastebin.com

Pasting your log there and then linking to it here so we can go get it.

My metor has had to go, out of town till Friday, so there will be a short delay in responding to your GMER log.

HCJ
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

Unread postby hillbillycj » September 2nd, 2006, 10:26 am

Hi aaiibn

Have not heard from you in a few days now. Are you having difficulty in posting your GMER log at http://pastebin.com/ and then linking back here? I need to see that log so I can compose a fix for the infection.

If so then this is how I would do it:
  • Run your GMER scan again.
  • Copy the log to the clipboard.
  • Browse to the http://pastebin.com web site (just click on the link), and paste the contents of the clipboard in the box.
  • Type in your user name, and check the box "Remember my settings"
  • Make sure the "Syntax Setting" box is set at "none"
  • Click "Send"
  • Look for your name under "Recent Posts" in the left hand box.
  • Right click on your name.
  • Choose Copy Shortcut
  • Paste that shortcut in a reply here in this thread.

That should do it.

Please let me know if you are having difficulty.

Remember do not be "backwards in coming forwards" and asking questions. We are all here to learn as well as practice our new found skills. You will find as a Freshman, going through the practice logs that you will have plenty of questions. The folks here, well, you couldn't wish to meet a better group of people. There are no such things as "silly questions". The people here are only too willing to give of their time to answer you, and to help you understand something. :D

Hang in there...

Hillbillycj
User avatar
hillbillycj
Regular Member
 
Posts: 397
Joined: April 18th, 2006, 7:31 am
Location: Metro Atlanta

help

Unread postby aaiibn » September 19th, 2006, 9:26 pm

Logfile of HijackThis v1.99.1
Scan saved at 9:25:07 PM, on 9/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\nwnmff_e8.exe
C:\kybrdff_e8.exe
C:\dfndrff_e8.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\jj4\jjsvr4.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\rcss.exe
C:\WINDOWS\rundll.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\nwnmff_e8.exe
C:\kybrdff_e8.exe
C:\dfndrff_e8.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\i\LOCALS~1\Temp\yahoo_antispy_01.14.00_us_setup2_.exe
C:\WINDOWS\System32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\YPSR\updates\ypsr_dat_06.04.26.16_setup_.exe
C:\Documents and Settings\i\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\System32\nsi8.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBarBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ViewpointPhotosDeviceConnect] C:\Program Files\Viewpoint\Viewpoint Toolbar V35\FotomatDeviceConnect.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e8.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e8.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e8.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Program Files\Yahoo!\YPSR\ppclean.exe" "clean" "cws" "2"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar V35\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: 使用网际快车下载 - C:\Program Files\flashget\jc_link.htm
O8 - Extra context menu item: 使用网际快车下载全部链接 - C:\Program Files\flashget\jc_all.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\flashget\flashget.exe (file missing)
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/c ... grt5_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/c ... /wt1_x.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nesunei.mht!http://adgate.info/zscript/dial.chm::/d2.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/share ... insctl.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\i\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - AppInit_DLLs: dxclib303562752.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Remote Procedure Call Service (RPCS) - Unknown owner - C:\WINDOWS\rcss.exe
O23 - Service: rundll.exe - Unknown owner - C:\WINDOWS\rundll.exe
O23 - Service: Print Spooler Service (SpoolSvc212) - Unknown owner - C:\WINDOWS\TEMP\sklrr7y8672723.exe (file missing)
aaiibn
Active Member
 
Posts: 12
Joined: August 23rd, 2006, 11:29 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 297 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware