Free Malware Removal Forum

[youxuan]

Logfile of HijackThis v1.99.1
Scan saved at 10:09:26 PM, on 2/19/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Video Access ActiveX Object\isamntr.exe
C:\Program Files\Video Access ActiveX Object\pmsnrr.exe
C:\Program Files\Video Access ActiveX Object\pmmnt.exe
C:\Program Files\Video Access ActiveX Object\isamini.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\HijackThis.exe

O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

[youxuan]

i know there is one bad file located at

[b]C\program files\videoaccess activeX Object\isadd.dll.

However, i can't delet it: Source file is in used.

[John B.]

Hi! and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• Finally, please make a uninstall list using HijackThis
  To access the Uninstall Manager you would do the following:
  
  1. Start HijackThis
  2. Click on the Config button
  3. Click on the Misc Tools button
  4. Click on the Open Uninstall Manager button.
  
  You will now be presented with a screen similar to the one below:
  
  
  
  5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Greets, John.

[John B.]

Hi youxuan,

You aren't running Anti Virus Software. Please download and install one of them first!!!

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - Anti-Virus
I use AVG Anti-Virus (Free Edition)!

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

As you did this, we can begin with the fix.

Step 1: Move HijackThis
You currently are running HijackThis from here:
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\HijackThis.exe

Please make a folder here:
C:\Documents and Settings\YouXuan1\Desktop\HijackThis
and place HijackThis in that folder.

Step 2: Check for Back ups or whitelisted items
Your log is very short so I suspect something to be whitelisted or fixed by you.

• Open HijackThis
• Click None of the above, just start the program
• Click Config
• Go to the tab Ignorelist and check if anything's there
  
  • If there's something there click Delete all
• Go to the tab Backups and check if anything's there
• Close HijackThis

Step 3: Download and Run SmitfraudFix
Please download SmitfraudFix (by S!Ri)
Run the file, it will extract Smitfraudfix to its own folder and run.

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Step 4: Post logs
* Smitfraudfix log
* Uninstall log (if you haven't posted it yet)
* Fresh HJT log
* Tell me about the Ignorelist and the Backups

Greets, John.

[youxuan]

thanks John for helping me! folowing is the save list:

ACDSee 6.0 PowerPack
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe InDesign CS Time Limited Trial
Adobe Photoshop 6.0
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
Command
DirectX 8.1 Hotfix - KB839643
EPSON Printer Software
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for MDAC 2.53 (KB911562)
HyperLoad
Internet Explorer Security Plugin 2006
Internet Security Add-On
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.9.33
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office 2000 Premium
Microsoft VGX Q833989
Mozilla Firefox (1.0.2)
NavExcel Search Toolbar (remove only)
Nero - Burning Rom (Web installer)
Network Monitor
NJStar Chinese Word Processor
OLYMPUS CAMEDIA Master 4.1
Palm Desktop
Picasa 2
Pop-Up Stopper Free Edition
Public Messenger ver 2.03
QuickTime
RealPlayer
ResumeMaker
Screensavers Installer
Security Toolbar
Security Update for Windows 2000 (KB904706)
Shopping Wizard
Spybot - Search & Destroy 1.3
SpyDawn 3.1
System Alert Popup
Update Rollup 1 for Windows 2000 SP4
Video Access ActiveX Object 2.07
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
WinRAR archiver
WinZip Self-Extractor
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v6
Yahoo! Toolbar

[youxuan]

John, when i check backups in HijackThis, i saw a lot files in there. should i delete them. you did not say. following is the run smitfraufix :
SmitFraudFix v2.144

Scan done at 19:01:01.05, Tue 02/20/2007
Run from C:\Documents and Settings\YouXuan1\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\desktop.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\dfrgsrv.exe FOUND !
C:\WINNT\system32\ginuerep.dll FOUND !
C:\WINNT\system32\interf.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\YouXuan1


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\YouXuan1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\YouXuan1\FAVORI~1

C:\DOCUME~1\YouXuan1\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1.WIN\Desktop\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyDawn\ FOUND !
C:\Program Files\Video Access ActiveX Object\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{2016a466-91a2-43c6-97d8-2fd380f065ef}"="eitheror"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[youxuan]

John, there is nothing in Ignorelist but more than 20 files in backups.

[John B.]

Hi,

Please copy the fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Download AVG Anti-Spyware
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

• Install AVG Anti-Spyware by double clicking the installer.
• Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
• On the main screen under Your Computer's security.
  
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Click on Change state next to Automatic updates. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
• Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
IMPORTANT! Do not scan yet with AVG Anti-Spyware! We will do this later.

Step 2: Boot into Safe Mode
Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

Step 3: Run SmitfraudFix
Double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Step 4: Delete Temporary files
Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete... under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences... from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences... from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences... from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

Step 5: Run AVG Anti-Spyware
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

• Click on Scanner on the toolbar.
• Click on the Settings tab.
  
  • Under How to act?
    
    • Click on Recommended Action and choose Quarantine from the popup menu.
  • Under How to scan?
    
    • All checkboxes should be ticked.
  • Under Possibly unwanted software:
    
    • All checkboxes should be ticked.
  • Under Reports:
    
    • Select Automatically generate report after every scan and uncheck Only if threats were found.
  • Under What to scan?
    
    • Select Scan every file.
• Click on the Scan tab.
• Click on Complete System Scan to start the scan process.
• Let the program scan the machine.
• When the scan has finished, follow the instructions below.
  IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
  
  • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
  • At the bottom of the window click on the Apply all Actions button. (3)
    
• When done, click the Save Scan Report button. (4)
  
  • Click the Save Report as button.
  • Save the report to your Desktop.
• Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Step 6: Reboot your computer
It'll automatically switch to Normal Mode.

Step 7: Post logs
Please post:

• c:\rapport.txt
• AVG log
• Fresh HijackThis log
• Tell me if you fixed those items in Backups yourself or if you were instructed by an expert

Your may need several replies to post the requested logs, otherwise they might get cut off.

Greets, John.

[youxuan]

Dear John, Good morning!

1. When I run Smitfraudfix. After the tool completed and dis cleanup finished, instead of massage" registry cleaning -do you want to clean the registry" I have this message: Registry editor can't import cleanup. reg: Error accessing the registry.

2. On the last step of Run AVG anti-Spyware. When I click on “apply all actionsâ€

[youxuan]

1. When I run Smitfraudfix. After the tool completed and dis cleanup finished, instead of massage" registry cleaning -do you want to clean the registry" I have this message: Registry editor can't import cleanup. reg: Error accessing the registry.
but does come report like this:

SmitFraudFix v2.144

Scan done at 19:39:56.00, Wed 02/21/2007
Run from C:\Documents and Settings\YouXuan1\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"system"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[youxuan]

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:43:18 AM 2/22/2007

+ Scan result:



HKLM\SOFTWARE\sais -> Adware.180Solutions : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\sais -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2000478354-1580436667-1202660629-500\Dc2.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Program Files\Screensavers.com\Installer\bin\ScreensaversInst.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\WINNT\WW91WHVhbg\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINNT\WW91WHVhbg\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{3E5588A0-3BE1-FD47-46F2-3A6D7DE38B03} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{86A7283D-AF5F-C942-5956-175B3F3233C1} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{9A9ABCB8-898A-B08A-6D78-F8C35DE24354} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B35515F4-F23D-5370-7E4F-F0060FB29CBB} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{B9D22511-13D0-CDC7-73A2-C4D18A15E2B0} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{D08959AE-2CE7-8EB6-A6B0-EDBC6572FE18} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E3C5B762-0DC9-646F-ECDC-E74618D26264} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{E4032433-850D-65E1-559E-A9287368C404} -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wbho.Band -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wbho.Band.1 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wbho.Band\CLSID -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Wbho.Band\CurVer -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\intexp -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\intexp\Config -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\intexp\MyFileSystem2 -> Adware.IEPlugin : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\YourSiteBar -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\YourSiteBar\Historycompare_item -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\YourSiteBar\Historyfiles -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\WINNT\nxstinst.exe -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\WINNT\remover.dll -> Adware.NavExcel : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\NavExcel Ltd -> Adware.NavExcel : Cleaned with backup (quarantined).
HKU\S-1-5-21-2000478354-1580436667-1202660629-1000\Software\NavExcel Ltd\NavExcel Search Toolbar -> Adware.NavExcel : Cleaned with backup (quarantined).
C:\WINNT\pxckdlauninstall.exe -> Adware.NoName : Cleaned with backup (quarantined).
C:\WINNT\system32\rzspy.exe -> Adware.Raze : Cleaned with backup (quarantined).
C:\WINNT\system32\rk.bin -> Adware.RK : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
C:\Program Files\SideFind -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\SideFind\sfexd001 -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\SideFind\update -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper.1 -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CLSID -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\BrowserHelperObject.BAHelper\CurVer -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SideFind.Finder -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SideFind.Finder.1 -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SideFind.Finder\CLSID -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\SideFind.Finder\CurVer -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\SideFind -> Adware.SideFind : Cleaned with backup (quarantined).
HKLM\SOFTWARE\SideFind -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\cmpt70000.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\merc1187.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\merc70000.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\mercexcl.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\psid1187.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Ap1150\topr1150.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\1150sh.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\41d77ef57487.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\41d77ef85990.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\42e3f9b670eb.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\YouXuan1 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\YouXuan1\41d77efd5abf.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\administrator -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Da1150\administrator\41d77efd5abf.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\README.txt -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_rb.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_ub.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_rb.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_ub.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_rb.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_ub.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\popo1150c.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\pref1150c.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\remv1150c.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\scri1150a.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Html\spec1150c.htm -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\p.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_envelope.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_footer.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_autotrack_remove.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings_toprebates.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles_bg2.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_warning.gif -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Sy1150 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_0.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_1.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_2.dat -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Tp1150 -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\Sy1150\Tp1150\log.txt -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\WebRebates2.dll -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\WebRebates2.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\Web_Rebates\disp1150.exe -> Adware.WebRebates : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\Program Files\YourSiteBar -> Adware.YourSiteBar : Cleaned with backup (quarantined).
C:\Program Files\YourSiteBar\imagemap_normal.bmp -> Adware.YourSiteBar : Cleaned with backup (quarantined).
C:\Program Files\YourSiteBar\version.txt -> Adware.YourSiteBar : Cleaned with backup (quarantined).
C:\Program Files\YourSiteBar\yoursitebar.xml -> Adware.YourSiteBar : Cleaned with backup (quarantined).
C:\Program Files\YourSiteBar\ysb.dll -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\YSBactivex.Installer.1 -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CurVer -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Ysb.YsbObj -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Ysb.YsbObj.1 -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Ysb.YsbObj\CLSID -> Adware.YourSiteBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Ysb.YsbObj\CurVer -> Adware.YourSiteBar : Cleaned with backup (quarantined).
C:\WINNT\ockodak.log:vnuko -> Downloader.WinShow.ak : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-162816-592.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-162907-669.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-170433-363.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-170444-580.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-170456-583.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-170524-446.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-185005-939.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-185013-539.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-190901-951.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-190944-574.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-191424-936.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-191435-842.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-212322-108.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\HiJackThis\backups\backup-20070219-214017-334.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\backup-20070219-223220-414.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\backup-20070219-224302-320.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\backup-20070219-224314-211.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\backup-20070219-224330-261.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\backup-20070219-224448-109.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Local Settings\Temp\backups\backup-20070219-162816-592.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\Local Settings\Temp\backups\backup-20070219-162907-669.dll -> Downloader.Zlob.bfh : Cleaned with backup (quarantined).
C:\WINNT\javaco32.exe -> Trojan.Agent.bi : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-2000478354-1580436667-1202660629-500\Dc1.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINNT\WW91WHVhbg\qq6YqJp1v0.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\5-一吻定情.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\6-最爱.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\7-水之恋.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\8-夜精灵.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\今生今世.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\周杰伦-世界末日.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\周杰伦-完美主义.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\喳雄腔凯楠.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\天堂.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\情人.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\田震-执着.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\相信自己.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\粤语 相思风雨中.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\My Music\那英-爱依然.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\东北人都是活雷锋.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\吻别英文版.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\害羞女孩.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\康巴汉子.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\心太软.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\无所谓.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\暗香.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\暗香、如果你是我的传说.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\Documents and Settings\YouXuan1\My Documents\绽饪.mp3.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/Dan 11-28-03/P2070026.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/Dan 11-28-03/P2070027.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120006.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120007.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120008.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120009.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120010.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120011.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120012.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120013.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120014.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120015.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120016.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120017.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120018.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120019.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120020.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120021.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120022.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120023.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120024.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).
C:\My Documents.zip/My Documents/Photos/three of us/P1120025.JPG.vbs -> Worm.LoveLetter : Cleaned with backup (quarantined).


::Report end

[youxuan]

ACDSee 6.0 PowerPack
Adobe Acrobat 5.0
Adobe Download Manager 2.0 (Remove Only)
Adobe InDesign CS Time Limited Trial
Adobe Photoshop 6.0
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
AVG 7.5
AVG Anti-Spyware 7.5
Command
DirectX 8.1 Hotfix - KB839643
EPSON Printer Software
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for MDAC 2.53 (KB911562)
HyperLoad
J2SE Runtime Environment 5.0 Update 3
LimeWire 4.9.33
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft Office 2000 Premium
Microsoft VGX Q833989
Mozilla Firefox (1.0.2)
NavExcel Search Toolbar (remove only)
Nero - Burning Rom (Web installer)
Network Monitor
NJStar Chinese Word Processor
OLYMPUS CAMEDIA Master 4.1
Palm Desktop
Picasa 2
Pop-Up Stopper Free Edition
QuickTime
RealPlayer
ResumeMaker
Screensavers Installer
Security Update for Windows 2000 (KB904706)
Shopping Wizard
Spybot - Search & Destroy 1.3
System Alert Popup
Update Rollup 1 for Windows 2000 SP4
Windows 2000 Hotfix - KB834707
Windows 2000 Hotfix - KB842773
Windows 2000 Hotfix - KB889293
Windows 2000 Hotfix - KB890046
Windows 2000 Hotfix - KB893756
Windows 2000 Hotfix - KB894320
Windows 2000 Hotfix - KB896358
Windows 2000 Hotfix - KB896422
Windows 2000 Hotfix - KB896423
Windows 2000 Hotfix - KB896424
Windows 2000 Hotfix - KB896727
Windows 2000 Hotfix - KB897715
Windows 2000 Hotfix - KB899587
Windows 2000 Hotfix - KB899588
Windows 2000 Hotfix - KB899589
Windows 2000 Hotfix - KB900725
Windows 2000 Hotfix - KB901017
Windows 2000 Hotfix - KB901214
Windows 2000 Hotfix - KB902400
Windows 2000 Hotfix - KB905414
Windows 2000 Hotfix - KB905495
Windows 2000 Hotfix - KB905749
Windows 2000 Hotfix - KB905915
Windows 2000 Hotfix - KB908519
Windows 2000 Hotfix - KB908523
Windows 2000 Hotfix - KB908531
Windows 2000 Hotfix - KB911280
Windows 2000 Hotfix - KB911567
Windows 2000 Hotfix - KB912919
Windows 2000 Hotfix - KB913580
Windows 2000 Hotfix - KB914388
Windows 2000 Hotfix - KB914389
Windows 2000 Hotfix - KB916281
Windows 2000 Hotfix - KB917159
Windows 2000 Hotfix - KB917537
Windows 2000 Hotfix - KB917736
Windows 2000 Hotfix - KB917953
Windows 2000 Service Pack 4
Windows Installer 3.1 (KB893803)
Windows Media Player Hotfix [See Q828026 for more information]
WinRAR archiver
WinZip Self-Extractor
Yahoo! Browser Services
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Photos Easy Upload Tool 1v6
Yahoo! Toolbar

[John B.]

Hi,

Looks like it worked and also looked like AVG found some other malware. You posted the wrong log (an uninstall log instead of HJT log) but we had to do this step anyway.

Step 1: Download and Run ComboScan
Download ComboScan to your Desktop

• Close all applications and windows
• Double-click on comboscan.exe to run it, and follow the prompts
• When the scan is complete, a text file will open - ComboScan.txt
• Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in a new reply
• A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt
• Also post Supplementary.txt

Greets, John.

[youxuan]

ComboScan v20070221.16 run by YouXuan1 on 2007-02-23 at 21:51:30
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Performed disk cleanup.


-- HijackThis (run as YouXuan1.exe) ---------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:51:44 PM, on 2/23/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Documents and Settings\YouXuan1\Local Settings\Temporary Internet Files\Content.IE5\FHI6NJHX\comboscan[1].exe
C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\YouXuan1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe


-- HijackThis Fixed Entries (C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\backups\) --------------------------------------------------------------------------------

backup-20070219-223220-414 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
backup-20070219-223220-462 O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
backup-20070219-223220-535 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
backup-20070219-223220-647 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-223220-783 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
backup-20070219-224302-175 O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
backup-20070219-224302-320 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
backup-20070219-224302-689 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
backup-20070219-224302-721 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-224302-899 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
backup-20070219-224314-211 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
backup-20070219-224315-356 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
backup-20070219-224315-773 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-224322-245 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-224322-784 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
backup-20070219-224330-208 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)
backup-20070219-224330-261 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
backup-20070219-224330-851 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-224448-109 O2 - BHO: (no name) - {67982BB7-0F95-44C5-92DC-E3AF3DC19D6D} - C:\Program Files\Video Access ActiveX Object\isadd.dll
backup-20070219-224449-549 O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
backup-20070219-224449-770 O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\atlci.exe (file missing)

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINNT\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R Avg7Core (AVG7 Kernel) - C:\WINNT\system32\drivers\avg7core.sys
1R Avg7RsNT (AVG7 Resident Driver NT) - C:\WINNT\system32\drivers\avg7rsnt.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINNT\system32\drivers\avg7rsw.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINNT\system32\drivers\AvgAsCln.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINNT\system32\drivers\avgclean.sys
2R AvgTdi (AVG Network Redirector) - C:\WINNT\system32\drivers\avgtdi.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINNT\system32\drivers\ccdecode.sys
3R crtaud (Conexant Riptide WDM Audio Driver) - C:\WINNT\system32\drivers\crtaud.sys
3R DC21x4 (DC21x4 Based Network Adapter Driver) - C:\WINNT\system32\drivers\dc21x4.sys
3R i81x - C:\WINNT\system32\drivers\i81xnt5.sys
3S MPE (BDA MPE Filter) - C:\WINNT\system32\drivers\mpe.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINNT\system32\drivers\mstee.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINNT\system32\drivers\nabtsfec.sys
3S pfc (Padus ASPI Shell) - C:\WINNT\system32\drivers\pfc.sys
0R PxHelp20 - C:\WINNT\system32\drivers\pxhelp20.sys
3R rthwcls (Conexant Riptide Bus / Firmware Downloader) - C:\WINNT\system32\drivers\rthwcls.sys
3S SLIP (BDA Slip De-Framer) - C:\WINNT\system32\drivers\slip.sys
3S streamip (BDA IPSink) - C:\WINNT\system32\drivers\streamip.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINNT\system32\drivers\usbprint.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINNT\system32\drivers\usbstor.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINNT\system32\drivers\wstcodec.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2S 11Fßä#·ºÄÖ`I (Remote Procedure Call (RPC) Helper) - C:\WINNT\atlci.exe /s
2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
4S Network Monitor - C:\Program Files\Network Monitor\netmon.exe service
2R WMDM PMSP Service - C:\WINNT\System32\mspmspsv.exe
3S WmdmPmSN (Portable Media Serial Number Service) - C:\WINNT\System32\svchost.exe -k netsvcs


-- Files created between 2007-01-23 and 2007-02-23 ------------------------------

2007-02-21 19:03:50 3968 --a------ C:\WINNT\system32\drivers\AvgAsCln.sys
2007-02-20 20:51:42 0 dr-h----- C:\$VAULT$.AVG
2007-02-20 19:32:50 0 d-------- C:\Documents and Settings\YouXuan1\Application Data\AVG7
2007-02-20 19:32:38 0 d-------- C:\Documents and Settings\Default User.WINNT\Application Data\AVG7
2007-02-20 19:32:34 3968 --a------ C:\WINNT\system32\drivers\avgclean.sys
2007-02-20 19:32:33 4960 --a------ C:\WINNT\system32\drivers\avgtdi.sys
2007-02-20 19:32:33 19392 --a------ C:\WINNT\system32\drivers\avgmfx86.sys
2007-02-20 19:32:33 27776 --a------ C:\WINNT\system32\drivers\avg7rsxp.sys
2007-02-20 19:32:31 26944 --a------ C:\WINNT\system32\drivers\avg7rsnt.sys
2007-02-20 19:32:28 4224 --a------ C:\WINNT\system32\drivers\avg7rsw.sys
2007-02-20 19:32:20 775680 --a------ C:\WINNT\system32\drivers\avg7core.sys
2007-02-20 19:32:08 0 d-------- C:\Program Files\Grisoft
2007-02-20 19:32:08 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Grisoft
2007-02-20 19:32:08 0 d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\avg7
2007-02-20 19:01:03 1310 --a------ C:\WINNT\system32\tmp.reg
2007-02-20 19:00:12 79360 --a------ C:\WINNT\system32\swxcacls.exe
2007-02-20 19:00:11 40960 --a------ C:\WINNT\system32\swsc.exe
2007-02-20 19:00:11 135168 --a------ C:\WINNT\system32\swreg.exe
2007-02-20 19:00:11 288417 --a------ C:\WINNT\system32\SrchSTS.exe
2007-02-20 19:00:11 53248 --a------ C:\WINNT\system32\Process.exe
2007-02-20 19:00:11 51200 --a------ C:\WINNT\system32\dumphive.exe
2007-02-19 21:52:25 0 d-------- C:\Program Files\WinZip Self-Extractor<WINZIP~1>
2007-02-19 21:36:13 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-02-19 20:04:25 0 d-------- C:\Program Files\PC MightyMax<PCMIGH~1>
2007-02-19 16:31:55 0 d-------- C:\Program Files\Enigma Software Group<ENIGMA~1>


-- Find3M Report ----------------------------------------------------------------

2007-02-20 22:28:38 707 --a------ C:\WINNT\_default.pif
2007-02-20 22:27:03 11388 --a------ C:\WINNT\zqfyu.dat
2007-02-20 22:26:30 7305 --a------ C:\WINNT\xasqo.dat
2007-02-20 22:26:18 193296 --a------ C:\WINNT\winrep.exe
2007-02-20 22:26:01 270608 --a------ C:\WINNT\winhlp32.exe
2007-02-20 22:25:22 11388 --a------ C:\WINNT\vuzwq.dat
2007-02-20 22:25:10 20240 --a------ C:\WINNT\vmmreg32.dll
2007-02-20 22:25:06 33792 --a------ C:\WINNT\vgxuninst.exe<VGXUNI~1.EXE>
2007-02-20 22:24:55 15120 --a------ C:\WINNT\upwizun.exe
2007-02-20 22:24:52 11388 --a------ C:\WINNT\uotfy.dat
2007-02-20 22:24:46 86016 --a------ C:\WINNT\unvise32qt.exe<UNVISE~1.EXE>
2007-02-20 22:24:44 757760 --a------ C:\WINNT\Unnero.exe
2007-02-20 22:24:28 86016 --a------ C:\WINNT\Unin.exe
2007-02-20 22:24:26 26384 --a------ C:\WINNT\twunk_32.exe
2007-02-20 22:24:21 49680 --a------ C:\WINNT\twunk_16.exe
2007-02-20 22:24:17 44816 --a------ C:\WINNT\twain_32.dll
2007-02-20 22:24:15 94784 --a------ C:\WINNT\twain.dll
2007-02-20 22:23:58 3362 --a------ C:\WINNT\sxkyz.dat
2007-02-20 22:23:07 46352 --a------ C:\WINNT\setdebug.exe
2007-02-20 22:22:29 3567 --a------ C:\WINNT\resyf.dat
2007-02-20 22:22:27 57344 --a------ C:\WINNT\remover.dll
2007-02-20 22:22:15 73488 --a------ C:\WINNT\regedit.exe
2007-02-20 22:22:11 3347 --a------ C:\WINNT\qthmx.dat
2007-02-20 22:21:46 3063 --a------ C:\WINNT\ofnqb.dat
2007-02-20 22:21:24 107118 --a------ C:\WINNT\n_zjdxdg.dat
2007-02-20 22:21:18 124928 --a------ C:\WINNT\n_zcavfg.dat
2007-02-20 22:21:16 29256 --a------ C:\WINNT\n_yrpjqm.dat
2007-02-20 22:21:07 79974 --a------ C:\WINNT\n_wwoxiv.dat
2007-02-20 22:20:51 124928 --a------ C:\WINNT\n_weiisx.dat
2007-02-20 22:20:40 107118 --a------ C:\WINNT\n_uvcnbd.dat
2007-02-20 22:20:21 78950 --a------ C:\WINNT\n_taqjqx.dat
2007-02-20 22:20:18 107118 --a------ C:\WINNT\n_sukjee.dat
2007-02-20 22:20:10 107118 --a------ C:\WINNT\n_pctdfo.dat
2007-02-20 22:19:58 107118 --a------ C:\WINNT\n_mjnbbu.dat
2007-02-20 22:19:43 29256 --a------ C:\WINNT\n_hmizop.dat
2007-02-20 22:19:41 88259 --a------ C:\WINNT\n_gybfjo.dat
2007-02-20 22:18:46 87747 --a------ C:\WINNT\n_alropq.dat
2007-02-20 22:18:44 29256 --a------ C:\WINNT\n_affghj.dat
2007-02-20 22:18:34 327680 --a------ C:\WINNT\nxstinst.exe
2007-02-20 22:18:06 50960 --a------ C:\WINNT\NOTEPAD.EXE
2007-02-20 22:17:45 33280 --a------ C:\WINNT\muninst.exe
2007-02-20 22:17:27 69632 --a------ C:\WINNT\msconfig.exe
2007-02-20 22:17:20 11388 --a------ C:\WINNT\mrkyz.dat
2007-02-20 22:16:39 7536 --a------ C:\WINNT\loadqm.exe
2007-02-20 22:14:58 56320 --a------ C:\WINNT\jlici.dll
2007-02-20 22:14:42 6550 --a------ C:\WINNT\jautoexp.dat
2007-02-20 22:14:38 306688 --a------ C:\WINNT\IsUninst.exe
2007-02-20 22:14:13 11591 --a------ C:\WINNT\fvhfr.dat
2007-02-20 22:14:06 606848 --a------ C:\WINNT\flashax.exe
2007-02-20 22:13:35 41744 --a------ C:\WINNT\discover.exe
2007-02-20 22:13:21 5392 --a------ C:\WINNT\delttsul.exe
2007-02-20 22:13:01 11388 --a------ C:\WINNT\cqqlt.dat
2007-02-20 22:11:36 11592 --a------ C:\WINNT\ajyzl.dat
2007-02-20 22:11:10 11591 --a------ C:\WINNT\acbil.dat
2007-02-20 22:10:36 0 d-------- C:\Program Files\Winamp
2007-02-19 20:04:27 0 d-------- C:\Documents and Settings\YouXuan1\Application Data\Microsoft<MICROS~1>
2007-02-19 12:28:15 0 dr------- C:\Program Files\Powerword 2003 Medicine<POWERW~1>
2007-01-31 21:25:30 0 d-------- C:\Program Files\NJStar Chinese WP<NJSTAR~1>


-- Registry Dump ----------------------------------------------------------------


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Synchronization Manager"="mobsync.exe /logon"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"="C:\\Program Files\\Internet Explorer\\Connection Wizard\\icwconn1.exe /desktop"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe /background"
"areslite"="C:\\Program Files\\Ares Lite Edition\\AresLite.exe -h"
"ares"="C:\\Program Files\\Ares\\Ares.exe -h"
"qwzz"="C:\\PROGRA~1\\COMMON~1\\qwzz\\qwzzm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Synchronization Manager"="mobsync.exe /logon"
"NeroCheck"="C:\\WINNT\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"adduy.exe"="C:\\WINNT\\system32\\adduy.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_03\\bin\\jusched.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"LINUX32"="C:\\WINNT\\system32\\LINUX32.vbs"
"ntdll.dll"="C:\\WINNT\\system32\\LINUX32.vbs"
"AdwareAlert"="C:\\Program Files\\AdwareAlert\\AdwareAlert.exe -boot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]
"reload"="C:\\WINNT\\reload.vbs"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
rpcss REG_MULTI_SZ RpcSs\0\0
wugroup REG_MULTI_SZ wuauserv\0\0
BITSgroup REG_MULTI_SZ BITS\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints\M]
Shell\AutoRun\command M:\autorun.exe


-- End of ComboScan: finished at 2007-02-23 at 21:52:27 -------------------------

[youxuan]

ComboScan v20070221.16 run by YouXuan1 on 2007-02-23 at 21:51:30
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 71%
Physical Memory (total/avail): 190.48 MiB / 54.85 MiB
Pagefile Memory (total/avail): 459.43 MiB / 299.51 MiB
Virtual Memory (total/avail): 2047.88 MiB / 2015.02 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 28.62 GiB total, 14.97 GiB free.
E: is CDROM (No Media)
M: is CDROM (CDFS)


-- Security Center --------------------------------------------------------------

AUOptions is set to notify before install.


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\YouXuan1\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=YOUXUAN
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\YouXuan1
LOGONSERVER=\\YOUXUAN
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\Program Files\Internet Explorer;;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\Common Files\STOPzilla!
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\YouXuan1\LOCALS~1\Temp
TMP=C:\DOCUME~1\YouXuan1\LOCALS~1\Temp
USERDOMAIN=YOUXUAN
USERNAME=YouXuan1
USERPROFILE=C:\Documents and Settings\YouXuan1
windir=C:\WINNT


-- User Profiles ----------------------------------------------------------------

YouXuan1 (admin)
Administrator (new local, admin)


-- Add/Remove Programs ----------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ACDSee 6.0 PowerPack --> MsiExec.exe /I{38A0BB97-772D-422E-BCCA-4BA2A5D81F42}
Adobe Acrobat 5.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Download Manager 2.0 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe InDesign CS Time Limited Trial --> RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{8E300EFF-F690-4B24-ACEA-6A09F1D7F5FA}\zidxp.exe"
Adobe Photoshop 6.0 --> C:\WINNT\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 6.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 6.0\Uninst.dll"
Adobe Reader 7.0.5 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Command --> wscript "C:\WINNT\WW91WHVhbg\qq6YqJp1v0.vbs"
DirectX 8.1 Hotfix - KB839643 --> C:\WINNT\$NtUninstallKB839643-DirectX81$\spuninst\spuninst.exe
EPSON Printer Software --> C:\WINNT\system32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
HijackThis 1.99.1 --> C:\Documents and Settings\YouXuan1\Desktop\www.winzip.com\HijackThis.exe /uninstall
HyperLoad --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Nabisco\HyperLoad\Uninst.isu"
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
LimeWire 4.9.33 --> "C:\Program Files\LimeWire\uninstall.exe"
Macromedia Flash Player 8 --> C:\WINNT\system32\Macromed\Flash\UninstFl.exe
Macromedia Shockwave Player --> C:\WINNT\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINNT\system32\Macromed\SHOCKW~1\Install.log
Microsoft Office 2000 Premium --> MsiExec.exe /I{00000409-78E1-11D2-B60F-006097C998E7}
Microsoft VGX Q833989 --> C:\WINNT\vgxuninst.exe C:\WINNT\INF\Q833989.inf
Mozilla Firefox (1.0.2) --> C:\WINNT\UninstallFirefox.exe /ua "1.0.2 (en-US)"
NavExcel Search Toolbar (remove only) --> C:\WINNT\nxstinst.exe -u
Nero - Burning Rom (Web installer) --> C:\WINNT\UNNERO.exe /UNINSTALL
Network Monitor --> wscript "C:\WINNT\uninstall_nmon.vbs"
NJStar Chinese Word Processor --> "C:\Program Files\NJStar Chinese WP\Remove.exe" /U:"C:\Program Files\NJStar Chinese WP\Remove.log"
OLYMPUS CAMEDIA Master 4.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{30BB4D60-81DB-11D5-BB77-00400536ABAC}\setup.exe" CAMEDIA Master 4.1
Palm Desktop --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BA0F44C2-A883-11D1-AD0A-006097D15E2C}\setup.exe" Uninstall
Picasa 2 --> "C:\Program Files\Picasa2\Uninstall.exe"
Pop-Up Stopper Free Edition --> C:\PROGRA~1\PANICW~1\POP-UP~1\UNWISE.EXE C:\PROGRA~1\PANICW~1\POP-UP~1\INSTALL.LOG
QuickTime --> C:\WINNT\unvise32qt.exe C:\WINNT\System32\QuickTime\Uninstall.log
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
ResumeMaker --> C:\PROGRA~1\RESUME~1\UNWISE.EXE C:\PROGRA~1\RESUME~1\INSTALL.LOG
Screensavers Installer --> "C:\Program Files\Screensavers.com\Installer\bin\siuninst.exe"
Security Update for Windows 2000 (KB904706) --> "C:\WINNT\$NtUninstallKB904706$\spuninst\spuninst.exe"
Shopping Wizard --> rundll32 url.dll,FileProtocolHandler http://looking-for.cc/uninstall/ShoppingWizard.html
Spybot - Search & Destroy 1.3 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
System Alert Popup --> C:\DOCUME~1\YouXuan1\LOCALS~1\Temp\laf37.tmp /del
Windows 2000 Service Pack 4 --> C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip Self-Extractor --> "C:\Program Files\WinZip Self-Extractor\wzipse32.exe" -uninstall
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Internet Mail --> C:\WINNT\system32\regsvr32 /u /s
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Photos Easy Upload Tool 1v6 --> C:\WINNT\system32\regsvr32 /u /s
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of ComboScan: finished at 2007-02-23 at 21:52:27 -------------------------