# Solved: HELP!!! W32.looked.p + Infostealer



## yingybaby (Nov 14, 2006)

i've got virus only like 4 days ago but now my computer is nearly dead!!!
all my C:\ & D:\ softwares and exe. are not working
ive used Norton AntiVirus2005 to search for virus, it showed that my computer has 200 virus..then it also said that all those files cannot be cleaned..
what can i do now? my computer hasn't got any popups so i think it is not being hijacked.   
is there any chance that i can clean those infected files?

my computer is WINDOW XP
i can't post all the information coz there is too many!!!
and also i don't really know anything about cleaning virus.. 
plzzzzz help n thz!!!

Logfile of HijackThis v1.99.1
Scan saved at 16:42:55, on 15/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC6E7DA-405D-4B55-A720-5CE92D3443B3}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby*.

Welcome to TSG.

See if you can download, set and run this program:

*Click here* to download *HJTsetup.exe*

Save HJTsetup.exe to your desktop.
Doubleclick on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Addition Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a logfile* button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## yingybaby (Nov 14, 2006)

i've download hjt and also post those info..
so wt do i need 2 do now?
if this message is irrelevant plz can sum1 delete it


----------



## JSntgRvr (Jul 1, 2003)

yingybaby said:


> i've download hjt and also post those info..
> so wt do i need 2 do now?
> if this message is irrelevant plz can sum1 delete it





> Last edited by yingybaby : 15-Nov-2006 12:44 PM at 12:44 PM.


I will review the log and be right back.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Download *SDFix* and save it to your desktop.

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

 In Safe Mode, right click the SDFix.zip folder and choose *Extract All*, 
 Open the extracted folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the script.
 It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 Your system will take longer that normal to restart as the fixtool will be running and removing files. 
 When the desktop loads the Fixtool will complete the removal and display *Finished*, then press any key to end the script and load your desktop icons.
 Finally open the SDFix folder on your desktop and copy and paste the contents of the results file *Report.txt* back onto the forum with a new HijackThis log


----------



## yingybaby (Nov 14, 2006)

thz but i think i've got a problem again
WinRAR is in C:\ aswell so that means i can't use it
(because they all are infected so i used Norton AntiVirus)
how can i open that zip folder?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Andy's site seems to be experiencing problems right now. If you cannot open a .zip folder, remove Winrar. Then follow these steps to reset your file association:


*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *Zipfix.reg * 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 
Make sure you leave a blank line at the botton of the script, but leave no empty lines at the beggining of the script.
 Once saved, double click on the *Fixfix.reg* file and merge it into the Registry.
Restart the computer.



> Windows Registry Editor Version 5.00
> 
> [HKEY_CLASSES_ROOT\.zip]
> @="CompressedFolder"
> ...


You should now be able to open and zip files and folders.

I don't know if your were able to download* SDFIX*. If you did, extract its contents as instructed above and run the program accordingly.

Else, please *download* the *Killbox by Option^Explicit*.

*Note*:* In the event you already have Killbox, this is a new version that I need you to download*.

 *Save* it to your *desktop*.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\rundl132.exe
C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\Download\svhost32.exe
*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

_If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again._

*Post a fresh Hijackthis log.*


----------



## yingybaby (Nov 14, 2006)

*here is the SDFix Report*

SDFix: Version 1.38
-------------------

Scan run on: 
16/11/2006 Thu

Time:
15:53

Microsoft Windows XP [version 5.1.2600]

Running from: C:\Documents and Settings\NKL\desktop\SDFix\SDFix

Stage One...

Checking Services...

Name: 
-----

Path:
----

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\DOCUME~1\NKL\LOCALS~1\Temp\ck3.exe.exe
C:\DOCUME~1\NKL\LOCALS~1\Temp\shua.exe.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\system32\system32.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

*Now is HJT report..I think they are the same as before*

Logfile of HijackThis v1.99.1
Scan saved at 16:09:49, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [rtatu] %systemroot%\system32\Rundll32.exe %systemroot%\system32\rtatu.dll,DllUnregisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wshcon32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC6E7DA-405D-4B55-A720-5CE92D3443B3}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Distributed Link Tracking Clientbjh (ServiceBJH) - Unknown owner - C:\WINDOWS\BJH\server.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Set Explorer to view Hidden Files and Folders:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Show all Files and Folders
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.
Please go here:
*The Spy Killer Forum*
Click on "New Topic"
Put your name, e-mail address, and this as the title: "*c:\windows\system32\aelupsvc32.dll*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to this file:

*c:\windows\system32\aelupsvc32.dll*

Click *Open*.
Press the more attachments button .
click the *browse* button, then navigate to this file:

*c:\windows\system32\wshcon32.dll*

When all the files are listed in the window Click *Post*.
Set Explorer to Defaults:

Right-click your Start button and go to "Explore".
Select Tools from the menu
Select Folder Options
Select the View tab
Click on Restore Defaults
Select *Apply to All Folders *| *Yes* | *Apply* |* OK*.

*The spykiller forum will review these files for us and let us know if they represent a threat for your computer. Please do not delete these files unless instructed.*

Please *download* the *Killbox by Option^Explicit*.

*Note*:* In the event you already have Killbox, this is a new version that I need you to download*.

 *Save* it to your *desktop*.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O4 - HKLM\..\Run: [wdfmgr32] C:\WINDOWS\system32\wdfmgr32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\RunOnce: [rtatu] %systemroot%\system32\Rundll32.exe %systemroot%\system32\rtatu.dll,DllUnregisterServer
O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\system32\wdfmgr32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\system32\rtatu.dll*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

_If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again._

*Post a fresh log and let us know how is the computer doing.*


----------



## dvk01 (Dec 14, 2002)

Kaspersky tell me 
adware not-a-virus:AdWare.Win32.AdAgent.d	wshcon32.dll
adware not-a-virus:AdWare.Win32.WSearch.l	aelupsvc32.dll


----------



## yingybaby (Nov 14, 2006)

*After i did all the things that you told me to, i use hjt again..
i've used that killbox n restart the computer..it didnt show anything
(?)is it because i always use safe mode since my computer have virus

And also i now started to have some popups in my computer... is there any reliable software that i can use to remove those popups?(if not, nevermind. i'll solve the virus first)*

Logfile of HijackThis v1.99.1
Scan saved at 21:15:37, on 16/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [rtatu] %systemroot%\system32\Rundll32.exe %systemroot%\system32\rtatu.dll,DllUnregisterServer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aelupsvc32.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\wshcon32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FC6E7DA-405D-4B55-A720-5CE92D3443B3}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Logons (NetWorkLogons) - Unknown owner - rundll32.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SAVScan - Unknown owner - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Distributed Link Tracking Clientbjh (ServiceBJH) - Unknown owner - C:\WINDOWS\BJH\server.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Thank you,* Derek*. 

Hi, *yingybaby* 

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it.
Please download LSPFix from *here*.
Run the LSPFix.exe that you have just finished downloading.
Check the *I know what I'm doing* box.
In the *Keep* box you should see one or more instances of *aelupsvc32.dll* and *wshcon32.dll*.
Select every instance of *aelupsvc32.dll* and *wshcon32.dll*, and move each one to the *Remove* box by clicking the *>>* button.
When you are done click *Finish>>*.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O4 - HKLM\..\RunOnce: [rtatu] %systemroot%\system32\Rundll32.exe %systemroot%\system32\rtatu.dll,DllUnregisterServer
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.


Download the attached file, unzip it and save it to your *C:\ drive.*
When having saved it, the file path should be *C:\remove.txt*
Download and unzip *Avenger* to your desktop.
Open the *Avenger*.
Check *Load Script from File *and then click the folder Icon on the right side of that section.
Then browse to *C:\remove.txt* and click *open* to load it.








Then click the *green light* icon.
This will begin the execution of the script currently in memory.
After you have clicked on the green light to begin execution of a script, the Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately.
After your system restarts, a log file should open with the results of Avengers actions. This log file is located at *C:\avenger.txt.* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to *C:\avenger\backups.zip.*
Post the contents of the *C:\avenger.txt* file and a fresh *Hijackthis log*.


----------



## yingybaby (Nov 14, 2006)

i've download LSPFix but is not opening!!!
it saids " 'Params' is not a valid interger value."
what can i do?


----------



## JSntgRvr (Jul 1, 2003)

Standby


----------



## yingybaby (Nov 14, 2006)

i've tried a few times still it doesnt work!!!


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Lets try this.

Delete the LSPFIX downloaded, then download *LSPFIX.EXE*. This time save it to your C:\ folder (Root directory). Open *My computer* and navigate to *C:\LSPFix.exe*

Run the LSPFix.exe that you have just finished downloading.
Check the *I know what I'm doing* box.
In the *Keep* box you should see one or more instances of *aelupsvc32.dll* and* wshcon32.dll.*
Select every instance of *aelupsvc32.dll *and *wshcon32.dll*.
and move each one to the *Remove* box by clicking the *>>* button.
When you are done click *Finish>>*.

Let me know how it goes.


----------



## dvk01 (Dec 14, 2002)

We have been looking at the files on this one & it has some sneaky tricks to stop removal

Don't try & remove any files yet or use LSP fix as it will make it worse

There has been an update to combofix to attempt to deal with this so try this version of combofix before doing anything else please

http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe

Download  Combofix to your desktop:

* Double-click combofix.exe & follow the prompts.
* When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


----------



## JSntgRvr (Jul 1, 2003)

Thanks, *Derek.* :up:


----------



## yingybaby (Nov 14, 2006)

still i can't open LSPFix.exe even i downloaded it from other site.
and then i downloaded combofix.exe 
after i used it, i can not use my boardband and my computer is really really slow everytime when i turn it on, no matter it's on safe mode or normal.
even now i am using my bro's computer to type this...
what can i do now?
when i restore my boardband, it said that it can't connect (this happened after i use combofix and restart the computer)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Lets try running *WinsockXPFix.exe*:

Running *WinsockXPFix.exe* may correct this problem. WinsockXPfix restores the files associated with connecting to a tcp/ip network. You can download WinsockXPFix.exe by clicking on the link above (it will fit on a floppy disk).








Double click on WinsockXPFix.exe. You will get a window like this:








First, click on the ReG-Backup button. This will backup your registry. This is a just a precaution.








Click Ok. You will get the following window showing that your registry is being backed up.

















Click Ok. You will go back to the main window. Click Fix.








Click Yes. It will run for a about a minute and a beep will sound and you will get this window.








Click Ok and let you PC reboot. When it comes back up you should be able to get on the network.

*Please post a Hijackthis log.*


----------



## dvk01 (Dec 14, 2002)

if you post the combofix log we can see what it did manage to fix & what it didn't

this is a new infection & is proving hard to fix with lots of devious tricks to prevent removal


----------



## yingybaby (Nov 14, 2006)

NKL - 06-11-17 16:20:57.33 Service Pack 2
ComboFix 06.11.17W - Running from: "C:\Documents and Settings\NKL\desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\All Users\Templates\temp.exe
C:\Program Files\Common Files\System\Update.dat
C:\Program Files\Common Files\System\Update.exe
C:\Program Files\INSTALL.LOG
C:\Program Files\Internet Explorer\iexplore.jmp
C:\Program Files\Internet Explorer\PLUGINS\system.jmp
C:\baby.dat
C:\WINDOWS\csrss.exe
C:\WINDOWS\logo1_.exe
C:\WINDOWS\rundl132.exe
C:\WINDOWS\system32\aamd532.dll
C:\WINDOWS\system32\advport.dll
C:\WINDOWS\system32\cdnns.dll
C:\WINDOWS\system32\downdll.dll
C:\WINDOWS\system32\quartz32.dll
C:\WINDOWS\system32\rundllfromwin2000.exe
C:\WINDOWS\system32\Score.txt
C:\WINDOWS\system32\wshcon32.dll
C:\WINDOWS\system32\ztdll.dll
C:\WINDOWS\system32\gojwuc50.dll
C:\WINDOWS\system32\wbem\wvvhxj33.dll
C:\WINDOWS\system32\drivers\RGWatch.sys
C:\WINDOWS\system32\wbem\ocmor.dll
C:\WINDOWS\system32\advwhes.dll
C:\WINDOWS\system32\drivers\msqmx.sys
C:\WINDOWS\system32\SrvAddSet.dat
C:\WINDOWS\system32\vdmop.dll
C:\WINDOWS\system32\wbem\lsass.exe
C:\WINDOWS\system32\wbem\sholl32.dll
C:\WINDOWS\system32\wbem\winkbd32.dll
C:\WINDOWS\system32\wnttech.dll
C:\Config.Msi\_desktop.ini
C:\Downloads\driver\_desktop.ini
C:\Downloads\game\_desktop.ini
C:\Downloads\mp3\_desktop.ini
C:\Downloads\software\_desktop.ini
C:\Downloads\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\1028\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\DW\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\MSSHARED\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\COMMON\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\OFFICE11\1028\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\OFFICE11\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\MSOFFICE\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\PFILES\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\SETUP\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\FILES\_desktop.ini
C:\MSOCache\All Users\90000404-6000-11D3-8CFE-0150048383C9\_desktop.ini
C:\MSOCache\All Users\_desktop.ini
C:\MSOCache\_desktop.ini
C:\My Documents\My Pictures\2004-08 (Aug)\_desktop.ini
C:\My Documents\My Pictures\2004.07.12\_desktop.ini
C:\My Documents\My Pictures\2004.07.13\_desktop.ini
C:\My Documents\My Pictures\2004.07.14\128510314\_desktop.ini
C:\My Documents\My Pictures\2004.07.14\_desktop.ini
C:\My Documents\My Pictures\2004_07_14\_desktop.ini
C:\My Documents\My Pictures\2005-01 (Jan)\_desktop.ini
C:\My Documents\My Pictures\beach\_desktop.ini
C:\My Documents\My Pictures\camp\_desktop.ini
C:\My Documents\My Pictures\campphoto\_desktop.ini
C:\My Documents\My Pictures\Dinner\_desktop.ini
C:\My Documents\My Pictures\Eng\_desktop.ini
C:\My Documents\My Pictures\FOR MUM\_desktop.ini
C:\My Documents\My Pictures\Home\_desktop.ini
C:\My Documents\My Pictures\LONDON\_desktop.ini
C:\My Documents\My Pictures\Montreal_Trip\_desktop.ini
C:\My Documents\My Pictures\MSN\_desktop.ini
C:\My Documents\My Pictures\passport\_desktop.ini
C:\My Documents\My Pictures\X'mas\_desktop.ini
C:\My Documents\My Pictures\Day\_desktop.ini
C:\My Documents\My Pictures\photos\_desktop.ini
C:\My Documents\My Pictures\bonnie's photos\_desktop.ini
C:\My Documents\My Pictures\_desktop.ini
C:\My Documents\_desktop.ini
C:\My Music\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Activation\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Activation\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\browser\classes\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\browser\defaults\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\browser\plugins\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\browser\skin\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\browser\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\data\bridgedb\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\data\mysql\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\data\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\charsets\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\czech\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\danish\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\dutch\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\english\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\estonian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\french\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\german\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\greek\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\hungarian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\italian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\japanese\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\korean\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\norwegian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\norwegian-ny\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\polish\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\portuguese\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\romanian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\russian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\serbian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\solvak\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\spanish\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\swedish\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\ukrainian\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\share\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\install\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\db_support\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\ar_AE\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\cs_CZ\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\da_DK\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\de_DE\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\el_GR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\es_ES\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\fi_FI\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\fr_FR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\he_IL\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\hr_HR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\hu_HU\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\it_IT\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\ja_JP\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\ko_KR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\nl_NL\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\no_NO\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\pl_PL\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\pt_BR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\ro_RO\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\ru_RU\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\sl_SI\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\sv_SE\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\th_TH\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\tr_TR\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\vi_VN\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\zh_CN\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\zh_TW\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Legal\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Plug-Ins\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Presets\color books\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Presets\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\required\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Resources\en\_customization\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Resources\en\_media\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Resources\en\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\Resources\_desktop.ini
C:\Program Files\Adobe\Adobe Bridge\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\en_US\binary\page\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\en_US\binary\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\en_US\html\page\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\en_US\html\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\1.0\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\AdobeHelpCenter\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\DefaultProduct\1.0\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\DefaultProduct\1.0\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\DefaultProduct\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\en_US\binary\page\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\en_US\binary\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\en_US\html\page\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\en_US\html\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\9.0\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\Photoshop\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Cache\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Database\adobeassistance\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Database\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Packages\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Preferences\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\Search\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\AdobeHelpData\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Browser\classes\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Browser\defaults\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Browser\plugins\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Browser\skin\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Browser\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Required\help\en\images\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Required\help\en\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Required\help\images\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Required\help\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Required\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Resources\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\Resources\_desktop.ini
C:\Program Files\Adobe\Adobe Help Center\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\da_DK\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\de_DE\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\en_IE\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\es_ES\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\fi_FI\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\fr_FR\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\it_IT\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\ja_JP\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\ko_KR\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\nl_NL\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\no_NO\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\privacystatements\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\pt_BR\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\sv_SE\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\zh_CN\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\zh_TW\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Activation\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Help\additional how to content\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Help\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Help\Version_Cue\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Help\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Helpers\Jump To Graphics Editor\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Helpers\Jump To HTML Editor\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Helpers\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\da_dk\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\de_de\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\en_gb\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\en_us\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\es_es\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\fi_fi\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\fr_fr\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\it_it\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\ja_jp\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\ko_kr\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\nl_nl\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\no_no\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\pt_br\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\sv_se\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\zh_cn\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\zh_tw\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Legal\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Required\ImageReady Default Actions\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Required\Required\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Required\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe ImageReady Only\File Formats\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe ImageReady Only\Filters\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe ImageReady Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\Automate\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\Extensions\Bigger Tiles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\Extensions\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\File Formats\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\Filters\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\Import-Export\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Adobe Photoshop Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Digimarc\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Displacement Maps\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Effects\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Extensions\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\File Formats\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Filters\Lighting Styles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Filters\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Import-Export\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\Parser\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#22686;&#25928;&#27169;&#32068;\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\Sample Scripts\AppleScript\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\Sample Scripts\JavaScript\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\Sample Scripts\VBScript\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\Sample Scripts\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\Utilities\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\&#25351;&#20196;&#30908;&#25163;&#20874;\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Droplets\ImageReady Droplets\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Droplets\Photoshop Droplets\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Droplets\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\ImageReady Files\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Merge to HDR\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Photomerge\Result\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\Photomerge\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\sample\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\Adobe Photoshop Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_bigboxes\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_bigboxes\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_bigscribbles\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_bigscribbles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_circles\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_circles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_circular\Circles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_circular\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_dashed\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_dashed\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_dashed2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_diagonals\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_flowers2\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_flowers2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_grunge\Circles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_grunge\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes2\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes3\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_miniboxes3\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_oddscribbles\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_oddscribbles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_paint\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_paint\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scraps\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scraps\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scribbles\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scribbles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scribbles2\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_scribbles2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_swirls\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_swirls\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_tinytext\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_tinytext\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_vecswirls\Image Pack\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\appendix_vecswirls\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\Circles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Brushes\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Color Books\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Color Swatches\Adobe Photoshop Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Color Swatches\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Contours\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Custom Shapes\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Duotones\Gray-Black Duotones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Duotones\PANTONE(R) Duotones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Duotones\Process Duotones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Duotones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Quadtones\Gray Quadtones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Quadtones\PANTONE(R) Quadtones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Quadtones\Process Quadtones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\Quadtones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\TRITONE\Gray Tritones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\TRITONE\PANTONE(R) Tritones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\TRITONE\Process Tritones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\TRITONE\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Duotones\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Gradients\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Keyboard Shortcuts\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Layouts\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Menu Customization\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Optimized Colors\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Optimized Output Settings\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Optimized Settings\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Patterns\Adobe ImageReady Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Patterns\PostScript Patterns\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Patterns\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Photoshop Actions\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Scripts\Event Scripts Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Scripts\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Styles\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Textures\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Tools\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Basic\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Basic\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Feedback\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Feedback\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Info Only\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 1 - Info Only\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 2 - Feedback\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Centered Frame 2 - Feedback\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Dotted Border - Black On White\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Dotted Border - Black On White\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Dotted Border - White on Black\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Dotted Border - White on Black\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Flash - Gallery 1\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Flash - Gallery 2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Gray Thumbnails\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Gray Thumbnails\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal - Feedback\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal - Feedback\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Gray\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Gray\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Neutral\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Neutral\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Slideshow\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Horizontal Slideshow\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Horizontal Thumbnails\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Horizontal Thumbnails\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Thumbnail Table\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Thumbnail Table\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Vertical Thumbnails\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Simple - Vertical Thumbnails\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table - Minimal\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table - Minimal\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table 1\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table 1\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table 2\images\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\Table 2\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Web Photo Gallery\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\Workspaces\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\ZoomView\_desktop.ini
C:\Program Files\Adobe\Adobe Photoshop CS2\Reset\_desktop.ini



some of them show chinese in it coz i downloaded the chinese version


----------



## yingybaby (Nov 14, 2006)

C:\Program Files\Adobe\Adobe Photoshop CS2\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\icons\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Resources\en_US\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Resources\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\FirstRun\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\ImgDetail\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\NavBar\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\Print\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\ShopCart\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\images\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\stylesheets\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\Template\_desktop.ini
C:\Program Files\Adobe\Adobe Stock Photos\_desktop.ini
C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit\Plug-Ins\_desktop.ini
C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit\Required\_desktop.ini
C:\Program Files\Adobe\Adobe Utilities\ExtendScript Toolkit\_desktop.ini
C:\Program Files\Adobe\Adobe Utilities\_desktop.ini
C:\Program Files\Adobe\_desktop.ini
C:\Program Files\Ahead\CoverDesigner\Templates\_desktop.ini
C:\Program Files\Ahead\CoverDesigner\_desktop.ini
C:\Program Files\Ahead\Nero\CDI\_desktop.ini
C:\Program Files\Ahead\Nero\Uninstall\_desktop.ini
C:\Program Files\Ahead\Nero\_desktop.ini
C:\Program Files\Ahead\Nero BackItUp\_desktop.ini
C:\Program Files\Ahead\Nero SoundTrax\_desktop.ini
C:\Program Files\Ahead\Nero StartSmart\_desktop.ini
C:\Program Files\Ahead\Nero Toolkit\_desktop.ini
C:\Program Files\Ahead\Nero Wave Editor\Presets\_desktop.ini
C:\Program Files\Ahead\Nero Wave Editor\_desktop.ini
C:\Program Files\Ahead\WMPBurn\_desktop.ini
C:\Program Files\Ahead\_desktop.ini
C:\Program Files\AOL 9.0\backup\restore\_desktop.ini
C:\Program Files\AOL 9.0\backup\_desktop.ini
C:\Program Files\AOL 9.0\components\_desktop.ini
C:\Program Files\AOL 9.0\cool\_desktop.ini
C:\Program Files\AOL 9.0\csl\_desktop.ini
C:\Program Files\AOL 9.0\download\_desktop.ini
C:\Program Files\AOL 9.0\Jiti\_desktop.ini
C:\Program Files\AOL 9.0\media\nmpx\plugins\_desktop.ini
C:\Program Files\AOL 9.0\media\nmpx\_desktop.ini
C:\Program Files\AOL 9.0\media\nmpxchat\plugins\_desktop.ini
C:\Program Files\AOL 9.0\media\nmpxchat\_desktop.ini
C:\Program Files\AOL 9.0\media\_desktop.ini
C:\Program Files\AOL 9.0\modems\_desktop.ini
C:\Program Files\AOL 9.0\MyCalendar\help\_desktop.ini
C:\Program Files\AOL 9.0\MyCalendar\_desktop.ini
C:\Program Files\AOL 9.0\sounds\_desktop.ini
C:\Program Files\AOL 9.0\spool\_desktop.ini
C:\Program Files\AOL 9.0\tool\_desktop.ini
C:\Program Files\AOL 9.0\vim\resources\audioprogress\_desktop.ini
C:\Program Files\AOL 9.0\vim\resources\images\_desktop.ini
C:\Program Files\AOL 9.0\vim\resources\videoprogress\_desktop.ini
C:\Program Files\AOL 9.0\vim\resources\_desktop.ini
C:\Program Files\AOL 9.0\vim\_desktop.ini
C:\Program Files\AOL 9.0\_desktop.ini
C:\Program Files\AOL Companion\UI\Default\modules\_desktop.ini
C:\Program Files\AOL Companion\UI\Default\_desktop.ini
C:\Program Files\AOL Companion\UI\_desktop.ini
C:\Program Files\AOL Companion\_desktop.ini
C:\Program Files\AOL Toolbar\_desktop.ini
C:\Program Files\Eset\Install\_desktop.ini
C:\Program Files\Eset\_desktop.ini
C:\Program Files\FlashGet\language\_desktop.ini
C:\Program Files\FlashGet\Skin\_desktop.ini
C:\Program Files\FlashGet\sounds\_desktop.ini
C:\Program Files\FlashGet\_desktop.ini
C:\Program Files\Foxy\Conf\_desktop.ini
C:\Program Files\Foxy\Download\INF\_desktop.ini
C:\Program Files\Foxy\Download\_desktop.ini
C:\Program Files\Foxy\Temp\_desktop.ini
C:\Program Files\Foxy\Update\Temp\_desktop.ini
C:\Program Files\Foxy\Update\_desktop.ini
C:\Program Files\Foxy\_desktop.ini
C:\Program Files\Google\Google Updater\1.4.661.11671\HTML\_desktop.ini
C:\Program Files\Google\Google Updater\1.4.661.11671\_desktop.ini
C:\Program Files\Google\Google Updater\_desktop.ini
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\_desktop.ini
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\_desktop.ini
C:\Program Files\Google\GoogleToolbarNotifier\_desktop.ini
C:\Program Files\Google\_desktop.ini
C:\Program Files\HighMAT CD Writing Wizard\1028\_desktop.ini
C:\Program Files\HighMAT CD Writing Wizard\_desktop.ini
C:\Program Files\ICQ\2003b\269498253\_desktop.ini
C:\Program Files\ICQ\2003b\_desktop.ini
C:\Program Files\ICQ\AOD\_desktop.ini
C:\Program Files\ICQ\AteBrowser\_desktop.ini
C:\Program Files\ICQ\Bookmark\_desktop.ini
C:\Program Files\ICQ\CL\_desktop.ini
C:\Program Files\ICQ\DataFiles\_desktop.ini
C:\Program Files\ICQ\Defaults\_desktop.ini
C:\Program Files\ICQ\Help\_desktop.ini
C:\Program Files\ICQ\Install\InfFiles\_desktop.ini
C:\Program Files\ICQ\Install\_desktop.ini
C:\Program Files\ICQ\License\_desktop.ini
C:\Program Files\ICQ\Pictures\_desktop.ini
C:\Program Files\ICQ\Plugins\_desktop.ini
C:\Program Files\ICQ\Received Files\_desktop.ini
C:\Program Files\ICQ\Shared files\_desktop.ini
C:\Program Files\ICQ\Skin\_desktop.ini
C:\Program Files\ICQ\Sounds\_desktop.ini
C:\Program Files\ICQ\UIN\_desktop.ini
C:\Program Files\ICQ\_desktop.ini
C:\Program Files\InetGet2\_desktop.ini
C:\Program Files\Internet Explorer\Connection Wizard\_desktop.ini
C:\Program Files\Internet Explorer\MUI\0404\_desktop.ini
C:\Program Files\Internet Explorer\MUI\0409\_desktop.ini
C:\Program Files\Internet Explorer\MUI\_desktop.ini
C:\Program Files\Internet Explorer\PLUGINS\RichFX\Player\_desktop.ini
C:\Program Files\Internet Explorer\PLUGINS\RichFX\_desktop.ini
C:\Program Files\Internet Explorer\PLUGINS\_desktop.ini
C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini
C:\Program Files\Internet Explorer\_desktop.ini
C:\Program Files\Learn2.com\StRunner\_desktop.ini
C:\Program Files\Learn2.com\_desktop.ini
C:\Program Files\Messenger Plus! Live\Interface\_desktop.ini
C:\Program Files\Messenger Plus! Live\Languages\_desktop.ini
C:\Program Files\Messenger Plus! Live\Scripts\_desktop.ini
C:\Program Files\Messenger Plus! Live\_desktop.ini
C:\Program Files\MessengerPlus! 3\Plugins\_desktop.ini
C:\Program Files\MessengerPlus! 3\Resources\_desktop.ini
C:\Program Files\MessengerPlus! 3\_desktop.ini
C:\Program Files\Microsoft\_desktop.ini
C:\Program Files\Microsoft ActiveSync\_desktop.ini
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\_desktop.ini
C:\Program Files\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini
C:\Program Files\Microsoft Office\CLIPART\Publisher\_desktop.ini
C:\Program Files\Microsoft Office\CLIPART\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\1028\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\OFFICE11\1028\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\OFFICE11\AUTOSHAP\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\OFFICE11\BULLETS\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\OFFICE11\LINES\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\OFFICE11\_desktop.ini
C:\Program Files\Microsoft Office\MEDIA\_desktop.ini
C:\Program Files\Microsoft Office\OFFICE11\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1028\FAX\_desktop.ini
C:\Program Files\Microsoft Office\Templates\1028\_desktop.ini
C:\Program Files\Microsoft Office\Templates\Presentation Designs\_desktop.ini
C:\Program Files\Microsoft Office\Templates\_desktop.ini
C:\Program Files\Microsoft Office\_desktop.ini
C:\Program Files\Microsoft.NET\Primary Interop Assemblies\_desktop.ini
C:\Program Files\Microsoft.NET\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\10\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\1046\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\11\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\12\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\16\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\19\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\20\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\22\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\29\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\31\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\6\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\7\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\9\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\Loc\_desktop.ini
C:\Program Files\MSN Messenger\Device Manager\_desktop.ini
C:\Program Files\MSN Messenger\_desktop.ini
C:\Program Files\NetLimiter 2 Pro\Docs\_desktop.ini
C:\Program Files\NetLimiter 2 Pro\Plugins\_desktop.ini
C:\Program Files\NetLimiter 2 Pro\Tools\_desktop.ini
C:\Program Files\NetLimiter 2 Pro\_desktop.ini
C:\Program Files\Norton AntiVirus\Quarantine\_desktop.ini
C:\Program Files\Norton AntiVirus\_desktop.ini
C:\Program Files\Online Services\_desktop.ini
C:\Program Files\Outlook Express\_desktop.ini
C:\Program Files\PrintView\_desktop.ini
C:\Program Files\QuickTime\Plugins\_desktop.ini
C:\Program Files\QuickTime\_desktop.ini
C:\Program Files\Real\RealPlayer\_desktop.ini
C:\Program Files\Real\_desktop.ini
C:\Program Files\Uninstall Information\_desktop.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\Components\_desktop.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\DownloadedComponents\_desktop.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\NewComponents\_desktop.ini
C:\Program Files\Viewpoint\Viewpoint Experience Technology\_desktop.ini
C:\Program Files\Viewpoint\_desktop.ini
C:\Program Files\Windows Journal Viewer\_desktop.ini
C:\Program Files\Windows Live Toolbar\Components\zh-hk\_desktop.ini
C:\Program Files\Windows Live Toolbar\Components\zh-tw\_desktop.ini
C:\Program Files\Windows Live Toolbar\Components\_desktop.ini
C:\Program Files\Windows Live Toolbar\Extensions\_desktop.ini
C:\Program Files\Windows Live Toolbar\zh-hk\_desktop.ini
C:\Program Files\Windows Live Toolbar\zh-tw\_desktop.ini
C:\Program Files\Windows Live Toolbar\_desktop.ini
C:\Program Files\Windows Media Connect\Redist\_desktop.ini
C:\Program Files\Windows Media Connect\zh-CHT\_desktop.ini
C:\Program Files\Windows Media Connect\_desktop.ini
C:\Program Files\Windows Media Player\Icons\_desktop.ini
C:\Program Files\Windows Media Player\Sample Playlists\_desktop.ini
C:\Program Files\Windows Media Player\Skins\_desktop.ini
C:\Program Files\Windows Media Player\Visualizations\_desktop.ini
C:\Program Files\Windows Media Player\_desktop.ini
C:\Program Files\WinRAR\_desktop.ini
C:\Program Files\xerox\nwwia\_desktop.ini
C:\Program Files\xerox\_desktop.ini
C:\Program Files\Yahoo!\Common\_desktop.ini
C:\Program Files\Yahoo!\Companion\Installs\cpn\_desktop.ini
C:\Program Files\Yahoo!\Companion\Installs\cpn1\_desktop.ini
C:\Program Files\Yahoo!\Companion\Installs\_desktop.ini
C:\Program Files\Yahoo!\Companion\_desktop.ini
C:\Program Files\Yahoo!\_desktop.ini
C:\Program Files\_desktop.ini
C:\RECYCLER\S-1-5-21-448539723-746137067-854245398-1003\_desktop.ini
C:\RECYCLER\_desktop.ini
C:\TempEI4\_desktop.ini
C:\_desktop.ini
C:\WINDOWS\realupdate.exe
C:\WINDOWS\system32\0.exe
C:\WINDOWS\system32\2.exe
C:\WINDOWS\system32\3.exe
C:\WINDOWS\system32\KB27861012.log
C:\Program Files\Inetget2
C:\Program Files\PrintView
C:\Program Files\Common Files\{40BBDC3F-0568-1028-0307-011204000354}
C:\Documents and Settings\NKL\Application Data\Macromedia\Flash Player\#SharedObjects\C6YT88FS\www.inter-focus.cn
C:\Documents and Settings\NKL\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Program Files\Common Files\CPush
C:\Program Files\CNNIC
C:\Program Files\coolsign
C:\Program Files\DeskAdTop
C:\WINDOWS\system32\{pchome}
C:\WINDOWS\Temp\update
C:\WINDOWS\system32\MicShExts
C:\WINDOWS\system32\wbem\dReposxml
C:\Program Files\Internet Explorer\PLUGINS\system18.sys
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\system32\aelupsvc32.dll
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\Program Files\Internet Explorer\plugins\system18.sys
C:\WINDOWS\system32\Cnscheck001.dll
C:\Program Files\Internet Explorer\PLUGINS\system18.sys
C:\WINDOWS\IEXPL0RE.exe
C:\WINDOWS\system32\aelupsvc32.dll
C:\WINDOWS\system32\drivers\wsfit32.sys
C:\Program Files\Internet Explorer\plugins\system18.sys
C:\WINDOWS\system32\Cnscheck001.dll

((((((((((((((((((((((((((((((( Files Created from 2006-10-17 to 2006-11-17 ))))))))))))))))))))))))))))))))))

2006-11-17	16:11 d--------	C:\WINDOWS\erdnt
2006-11-17	16:00 d--------	C:\lspfix
2006-11-16	21:08 d--------	C:\!KillBox
2006-11-16	19:56	12,800	--a------	C:\WINDOWS\system32\cn_spi32.dll
2006-11-15	21:37	176,128	--a------	C:\winupdate.exe
2006-11-15	19:48	22	--a------	C:\WINDOWS\system32\wmsnds32.dll
2006-11-15	19:48	106,281	--a------	C:\WINDOWS\system32\ad812.exe
2006-11-15	19:43	33,280	--a------	C:\WINDOWS\POPNT.DLL
2006-11-15	19:42	81,920	--a------	C:\WINDOWS\system32\cnwin.dll
2006-11-15	19:42 d--------	C:\WINDOWS\win
2006-11-15	19:42 d--------	C:\WINDOWS\BJH
2006-11-15	16:39 d--------	C:\Program Files\Hijackthis
2006-11-14	16:41	30,821	--a------	C:\WINDOWS\8Sy.exe
2006-11-13	17:46 d--------	C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-11-12	18:08	41,984	--a------	C:\WINDOWS\rxdll.dll
2006-11-12	15:45 d--hs----	C:\WINDOWS\CSC
2006-11-12	13:38	91,904	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2006-11-12	13:38	124,016	--a------	C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-11-12	13:38 d--------	C:\Program Files\Norton AntiVirus
2006-11-12	13:38 d--------	C:\Documents and Settings\NKL\Application Data\Symantec
2006-11-12	13:37 d--------	C:\Program Files\Symantec
2006-11-12	13:37 d--------	C:\Program Files\Common Files\Symantec Shared
2006-11-12	13:37 d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2006-11-12	11:05 d--------	C:\Documents and Settings\All Users\Application Data\Google Updater
2006-11-11	00:07 d--------	C:\WINDOWS\Download
2006-11-10	22:00	28,459	--a------	C:\WINDOWS\4Sy.exe
2006-11-10	21:20 dr-------	C:\My Documents
2006-11-10	20:56	28,299	--a------	C:\WINDOWS\system32\a.bat
2006-11-10	20:44 d--------	C:\WINDOWS\Intel
2006-11-10	20:44 d--------	C:\WINDOWS\down
2006-11-10	20:44 d--------	C:\Program Files\Microsoft
2006-11-10	17:42 d--------	C:\Documents and Settings\NKL\Application Data\Help
2006-11-10	15:10	59,264	--a------	C:\WINDOWS\system32\drivers\USBAUDIO.sys
2006-10-22	16:24 d--------	C:\WINDOWS\system32\appmgmt
2006-10-22	16:24 d--------	C:\WINDOWS\SxsCaPendDel
2006-10-22	16:23 d--hs----	C:\Config.Msi
2006-10-21	19:33	7,050	--a------	C:\Documents and Settings\NKL\loadadv455.exe
2006-10-21	19:33	113,664	--a------	C:\Documents and Settings\NKL\goll.exe
2006-10-20	19:58	116,224	--a------	C:\WINDOWS\system32\free.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-11-17 16:25	--------	d--------	C:\Program Files\Common Files
2006-11-17 16:12	--------	d--------	C:\Program Files\Internet Explorer
2006-11-17 16:11	--------	d--------	C:\Program Files\Yahoo!
2006-11-17 16:11	--------	d--------	C:\Program Files\xerox
2006-11-17 16:11	--------	d--------	C:\Program Files\WinRAR
2006-11-17 16:11	--------	d--------	C:\Program Files\Windows Media Player
2006-11-17 16:11	--------	d--------	C:\Program Files\Windows Media Connect
2006-11-17 16:11	--------	d--------	C:\Program Files\Windows Live Toolbar
2006-11-17 16:11	--------	d--------	C:\Program Files\Windows Journal Viewer
2006-11-17 16:10	--------	d--h-----	C:\Program Files\Uninstall Information
2006-11-17 16:10	--------	d--------	C:\Program Files\Viewpoint
2006-11-17 16:10	--------	d--------	C:\Program Files\Real
2006-11-17 16:10	--------	d--------	C:\Program Files\QuickTime
2006-11-17 16:10	--------	d--------	C:\Program Files\Outlook Express
2006-11-17 16:10	--------	d--------	C:\Program Files\Online Services
2006-11-17 16:10	--------	d--------	C:\Program Files\NetLimiter 2 Pro
2006-11-17 16:10	--------	d--------	C:\Program Files\MSN Messenger
2006-11-17 16:10	--------	d--------	C:\Program Files\MessengerPlus! 3
2006-11-17 16:10	--------	d--------	C:\Program Files\Messenger Plus! Live
2006-11-17 16:10	--------	d--------	C:\Program Files\Learn2.com
2006-11-17 16:10	--------	d--------	C:\Program Files\ICQ
2006-11-17 16:10	--------	d--------	C:\Program Files\HighMAT CD Writing Wizard
2006-11-17 16:10	--------	d--------	C:\Program Files\Google
2006-11-17 16:10	--------	d--------	C:\Program Files\Foxy
2006-11-17 16:10	--------	d--------	C:\Program Files\FlashGet
2006-11-17 16:10	--------	d--------	C:\Program Files\Eset
2006-11-17 16:10	--------	d--------	C:\Program Files\AOL Toolbar
2006-11-17 16:10	--------	d--------	C:\Program Files\AOL Companion
2006-11-17 16:10	--------	d--------	C:\Program Files\AOL 9.0
2006-11-17 16:10	--------	d--------	C:\Program Files\Ahead
2006-11-17 16:10	--------	d--------	C:\Program Files\Adobe
2006-11-17 16:08	--------	d--------	C:\Program Files\Common Files\System
2006-11-11 21:56	--------	d---s----	C:\Documents and Settings\NKL\Application Data\Microsoft
2006-10-15 11:20	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-10-03 16:18	--------	d--------	C:\Documents and Settings\NKL\Application Data\Foxy
2006-09-27 19:33	--------	d--------	C:\Documents and Settings\NKL\Application Data\Google
2006-09-25 18:16	--------	d--------	C:\Documents and Settings\NKL\Application Data\Adobe
2006-09-23 23:43	--------	d--------	C:\Documents and Settings\NKL\Application Data\Locktime
2006-09-23 23:30	--------	d--------	C:\Documents and Settings\NKL\Application Data\ICQ
2006-09-23 23:15	--------	d--------	C:\Program Files\Common Files\DESIGNER
2006-09-23 22:52	--------	d--------	C:\Program Files\Common Files\Adobe
2006-09-23 22:40	--------	d--------	C:\Program Files\Common Files\Adobe Systems Shared
2006-09-23 22:07	--------	d--------	C:\Documents and Settings\NKL\Application Data\Real
2006-09-23 22:05	--------	d--------	C:\Program Files\Common Files\xing shared
2006-09-23 22:05	--------	d--------	C:\Program Files\Common Files\Real
2006-09-23 21:18	--------	d--------	C:\Program Files\Common Files\Ahead
2006-09-23 20:51	--------	d--------	C:\Documents and Settings\NKL\Application Data\Macromedia
2006-09-23 20:49	--------	d--------	C:\Program Files\Common Files\aolback
2006-09-23 20:49	--------	d--------	C:\Documents and Settings\NKL\Application Data\AOL
2006-09-23 20:47	--------	d--------	C:\Program Files\Common Files\Nullsoft
2006-09-23 20:47	--------	d--------	C:\Program Files\Common Files\aolshare
2006-09-23 20:47	--------	d--------	C:\Program Files\Common Files\AOL
2006-09-23 20:47	--------	d--------	C:\Documents and Settings\NKL\Application Data\You've Got Pictures Screensaver
2006-09-23 20:46	8552	--a------	C:\WINDOWS\system32\drivers\asctrm.sys
2006-09-23 20:32	--------	d--------	C:\Documents and Settings\NKL\Application Data\Identities
2006-09-23 20:30	--------	d--------	C:\Program Files\Messenger
2006-09-23 20:12	0	-rahs----	C:\MSDOS.SYS
2006-09-23 20:12	0	-rahs----	C:\IO.SYS
2006-09-23 20:12	0	--a------	C:\CONFIG.SYS
2006-09-23 20:12	0	--a------	C:\AUTOEXEC.BAT
2006-09-23 20:09	--------	d--h-----	C:\Program Files\WindowsUpdate
2006-09-23 20:07	--------	d--------	C:\Program Files\NetMeeting
2006-09-23 20:07	--------	d--------	C:\Program Files\Movie Maker
2006-09-23 20:07	--------	d--------	C:\Program Files\Common Files\Services
2006-09-23 20:07	--------	d--------	C:\Program Files\Common Files\MSSoap
2006-09-23 20:06	--------	d--------	C:\Program Files\ComPlus Applications
2006-09-23 20:05	--------	d--------	C:\Program Files\Windows NT
2006-09-23 20:05	--------	d--------	C:\Program Files\MSN Gaming Zone
2006-09-15 07:50	62	--ahs----	C:\Documents and Settings\NKL\Application Data\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"CJIMETIPSYNC"="C:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\CHANGJIE\\CINTLCFG.EXE /CJIMETIPSync"
"PHIMETIPSYNC"="C:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\PHONETIC\\TINTLCFG.EXE /PHIMETIPSync"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Home"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{923509F1-45CB-4EC0-BDE0-1DED35B8FD60}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000bd
"NoSharedDocuments"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"csrss"="C:\\WINDOWS\\csrss.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=dword:00000001
"hx-2"="2"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0
Usnsvc	REG_MULTI_SZ usnsvc\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Norton AntiVirus - ?????? - NKL.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-17 16:27:35.75
C:\ComboFix.txt ... 06-11-17 16:27
C:\ComboFix2.txt ... 06-11-17 16:03


----------



## yingybaby (Nov 14, 2006)

JSntgRvr said:


> Hi, *yingybaby*
> 
> Lets try running *WinsockXPFix.exe*:
> 
> ...


i tried this one but when i save backups the following files they said error..
C:\ERDNT\SECURITY
C:\ERDNT\software
C:\ERDNT\system
C:\ERDNT\default
C:\ERDNT\SAM
C:\ERDNT\Users\S-1-5-21-448539723-746137067-854245398-1003\NTUSER.DAT
C:\ERDNT\Users\S-1-5-21-448539723-746137067-854245398-1003_Classes\UsrClass.dat

it doesn't show that registry backup is completed, and my computer doesn't reboot.
so i didn't use hjt


----------



## dvk01 (Dec 14, 2002)

there are still a lot of infected files there & I'm not sure it is completely fixable

you have one of these 2 viruses/worms/trojans and they both change registry & file permissions to prevent backups & removal, that is why erunt won't appear to run

I would try this to see if it can remove/disinfect teh infected files

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from *Dr.Web *you saved previously in your next reply along with a new *HijackThis log*.


----------



## yingybaby (Nov 14, 2006)

i am sorry but i can't save it in the floppy disc
it's too big for my floppy disc...
my computer's internet is still dead..
i tried to install AOL(my boardband) again and again but every time when i log in, it said that it can not connect... is it because of the virus or something else?


----------



## dvk01 (Dec 14, 2002)

it's the virus 
open HJT/press config/misc tools/ tick both little boxes about minor & empty sections & press generate start up list 

post that back here


----------



## JSntgRvr (Jul 1, 2003)

Hi, *Derek* 

Thanks for your continuos support. Is this one of the Chinese viruses we have recently encountered?

Two cents of info:

Based on the member's description of the issue (not being able to connect). Sounds like a corrupted Winsock. If this is the case, I would reccomend the use of the NetShell utility to restore the TCP/IP stack to its state that existed when the operating system was installed, unless the virus will also affect this procedure.



> Go to *Start*->*Run*, type *CMD *and click *Ok*. The *MSDOS* window will be displayed. At the prompt type the following and press Enter.
> 
> *netsh int ip reset c:\resetlog.txt*
> 
> Restart the computer and attempt to connect. Post the contents of the *c:\resetlog.txt* created.


----------



## sweatpants46 (Nov 20, 2006)

Hi, I am just a passer by that stumbled onto this thread in my research. I would just like to add my two cents, because the exchange between JSntgRvr and dvk01 interested me. 

I consider myself to be relatively competent at spyware/malware removal and have always been able to deal with spyware easily in the past. That being said, I have had this problem for two days now. Because of the nature of spyware to immediately download many other spywares, the trick was to find out which ones I couldn't remove easily. Through all my methods, the two files I absolutely could not get rid of were C:\Windows\IEXPL0RE.exe (note the 0 instead of O) and C:\Windows\system32\aelupsvc32.dll. 

I apologize, the little progress I've made spanned two days and many hours of research/removal, so I do not remember the exact details or order of some events. But I hope this can shed some light for the certified experts. 

Conventional deletion did not work because of write-protection (they must be being used in the memory somehow), Ad-Aware and SpyBot latest updates do not detect them, Ewido detects both files (as Adware.Agent and Adware.WSearch respectively) but can delete neither.

Initially, IEXPL0RE.exe ran as a process in the that could not be terminated by the Windows Task Manager, Security Task Manager, or HijackThis Process Manager. When Security Task Manager and HijackThis cannot terminate a process, they wait for the next restart and try to quarantine the file on startup. Both, as well as MoveOnBoot and a similar program failed to do this. I booted in Safe Mode, where the process wasn't running, but I still could not delete either file. I thought it was because the Spyware was starting up before the cleaner programs that nothing could be done, so I delved into the registry.

Using the Find command of the registry editor, I found an instance of IEXPL0RE.exe in a common startup key and deleted it. I closed the editor and ran it again to find the same key in the same spot. I should mention that HijackThis also pointed to this registry value, but after every attempt to "fix" it, the key showed up in the next scan attempt. It was either never being deleted, or instantaneously being recreated. 

Somehow, (sorry for the vagueness, but I can't remember) through a combination of Safe Mode, forced termination, and registry editing, I was able to delete this value permanently, and the IEXPL0RE.exe process never started again. However, I still couldn't and still can't delete the file.

I also had the same LSP trouble as the poster and used LSPfix.exe. The first attempt found aelupsvc32.dll and I moved it to the Remove column, but upon restart and running it again, I found it still being a problem (Hijack This showed the same result as before) Also in the registry, I searched for instances of aelupsvc32.dll but I either didn't find any or was able to delete it without trouble. The next reboot, I still couldn't delete the file, so I did more research and decided to try adding a aelupsvc32.dll value to the HKLM\System\CCS\Control\Session Manager\ExcludeFromKnownDlls key. I think it was this step that stopped the LSP problems in Hijack, and stopped aelupsvc32.dll from showing up in the LSPfix.exe. During this time, I also deleted some suspicious registry values in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Nonenum\ and also ran combofix.exe, so I can't be sure which step stopped the LSP problem.

I also noticed that many more instances of svchost.exe were starting starting up now, so I decided to take a look at them. Security Task Manager showed me that they were starting up as quite random services (out of the many that use svchost.exe) that I had never set to automatic startup. In fact, the only svchost.exe services I have are the essential RPC service and (I think) the time service. I was able to delete all the new instances of svchost.exe without the system going unstable. I then looked at the HijackThis process manager for more information and found out that the RPC service was actually using the aelupsvc32.dll. So I decided to force-stop it and see if I could delete the dll file before the system reboot. I couldn't. However, after the next reboot, aelupsvc32.dll was no longer being used by svchost.exe.

Now, I'm at the point where neither IEXPL0RE.exe nor aelupsvc32.dll are currently being used, but I still can't delete them. I actually did all my research and am typing this on different computers because I'm scared I'll get many more spywares. 

Oh, and I know exactly where I got this virus. It was from downloading a P2P video streaming program called TVAnts that broadcasts mainly asian channels. I think it was originally a Chinese program, and all the popups I've gotten were Chinese as well. So I think you're right about this being one of the new Chinese viruses. This is my first time being on the forefront of a new generation of spyware, actually, and although I was frustrated before for failing for days where I usually succeed in an hour, after reading this post, I'm excited to see if I can contribute. Sorry for the obnoxiously long post, but I hope this can be helpful. I'll be checking this forum as well as the countless other ones I've researched to see how to finally get rid of this thing. Thanks!


----------



## yingybaby (Nov 14, 2006)

sorry i didn't reply coz i wasn't allowed on computer...
my bro cleaned my computer yesterday and install those programs again.
he delete all the C:\ software and keep D:\
but when i restart the computer, i think there is still a virus/worms
i'm sorry but can you foget everything i said before and start it all again coz i don't think it is the same virus...
AND ALSO NOD32 said *c:\windows\rundl132.exe* have a virus called *NewHeur_PE*

here is HJT report
Logfile of HijackThis v1.99.1
Scan saved at 18:20:20, on 21/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\down\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\Download\svhost32.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet to download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet to download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 414546M.BMP
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Please *download* the *Killbox by Option^Explicit*.

*Note*:* In the event you already have Killbox, this is a new version that I need you to download*.

 *Save* it to your *desktop*.
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O20 - AppInit_DLLs: 414546M.BMP

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\rundl132.exe
C:\WINDOWS\Intel\rundll32.exe
C:\WINDOWS\down\rundll32.exe
C:\Program Files\Microsoft\svhost32.exe
C:\WINDOWS\Download\svhost32.exe
C:\WINDOWS\414546M.BMP
C:\WINDOWS\System32\414546M.BMP*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

_If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again._

*Post a fresh log.*


----------



## yingybaby (Nov 14, 2006)

i've use HJT, but after i press Fix Checked it said:


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

It is due to line 020. Complete the instructions and post a fresh log.


----------



## yingybaby (Nov 14, 2006)

most of the files aren't saving though..
is same as 024

i tried this one but when i save backups the following files they said error..
C:\ERDNT\SECURITY
C:\ERDNT\software
C:\ERDNT\system
C:\ERDNT\default
C:\ERDNT\SAM
C:\ERDNT\Users\S-1-5-21-448539723-746137067-854245398-1003\NTUSER.DAT
C:\ERDNT\Users\S-1-5-21-448539723-746137067-854245398-1003_Classes\UsrClass.dat


it doesn't show that registry backup is completed, and my computer doesn't reboot.
so i didn't use hjt


----------



## JSntgRvr (Jul 1, 2003)

yingybaby said:


> most of the files aren't saving though..
> is same as 024
> 
> i tried this one but when i save backups the following files they said error..
> ...


Why are you using ERUNT? Were you able to run Killbox? Any problems with Killbox?

Post a fresh Hijackthis log.


----------



## yingybaby (Nov 14, 2006)

i am not using ERDNT..
that's only what the WinsockXPFix said..
it opens a file called ERDNT and it wanted to save those backups in that file but it doesn't work
i didn't use kill box yesterday coz htj cannot fix checked...
*now...these things are in hjt's Backups*

F3 - REG:win.ini: load=C:\WINDOWS\rundl132.exe
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [rzt] C:\WINDOWS\Intel\rundll32.exe
O4 - HKLM\..\Run: [r] C:\WINDOWS\down\rundll32.exe
O4 - HKLM\..\Run: [ms] C:\Program Files\Microsoft\svhost32.exe
O4 - HKLM\..\Run: [xy] C:\WINDOWS\Download\svhost32.exe
O4 - HKLM\..\Run: [wl] C:\WINDOWS\Download\svhost32.exe
O20 - AppInit_DLLs: 414546M.BMP

*here is the hjt report*

Logfile of HijackThis v1.99.1
Scan saved at 16:06:56, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet to download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe


----------



## JSntgRvr (Jul 1, 2003)

> i didn't use kill box yesterday coz htj cannot fix checked...


Run* Killbox *. Despite the error message, the entries were fixed.

I am assuming you are able to connect to the internet, don't you?

Lets take a deeper look:


Please download *Combofix* to your desktop from *Here* or *Here* (This is a new version): 
Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## yingybaby (Nov 14, 2006)

*ComboFix log*

NYL - 06-11-22 20:48:47.40 Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Program Files"

((((((((((((((((((((((((((((((( Files Created from 2006-10-22 to 2006-11-22 ))))))))))))))))))))))))))))))))))

2006-11-22	20:22 d--------	C:\!KillBox
2006-11-22	20:21	276,878	--a------	C:\Program Files\combofix.exe
2006-11-21	23:07 d--------	C:\ERDNT
2006-11-21	23:04	1,445,888	--a------	C:\Program Files\WinsockXPFix.exe
2006-11-21	21:04	73,728	--a------	C:\Program Files\KillBox.exe
2006-11-21	18:19 d--------	C:\Program Files\Hijackthis
2006-11-21	18:18	488,144	--a------	C:\Program Files\HJTsetup.exe
2006-11-21	16:41 d--------	C:\Documents and Settings\All Users\Application Data\Google Updater
2006-11-21	16:34	509,400	--a------	C:\Program Files\Google Installer.exe
2006-11-21	16:11 d--hs----	C:\Config.Msi
2006-11-20	20:23 d--------	C:\Program Files\Norton AntiVirus
2006-11-20	20:23 d--------	C:\Documents and Settings\NYL\Application Data\Symantec
2006-11-20	20:22 d--------	C:\Program Files\Symantec
2006-11-20	20:22 d--------	C:\Documents and Settings\All Users\Application Data\Symantec
2006-11-20	20:21 d--------	C:\Program Files\Common Files\Symantec Shared
2006-11-19	17:11 d--------	C:\Program Files\Foxy
2006-11-19	17:11 d--------	C:\Documents and Settings\NYL\Application Data\Foxy
2006-11-18	23:12 d--------	C:\Documents and Settings\NYL\Application Data\Google
2006-11-18	23:11 d--------	C:\Documents and Settings\All Users\Application Data\Google
2006-11-18	19:25 d--------	C:\Program Files\Common Files\Adobe Systems Shared
2006-11-18	19:25 d--------	C:\Documents and Settings\All Users\Application Data\Adobe Systems
2006-11-18	19:23 d--------	C:\Program Files\Common Files\Adobe
2006-11-18	19:23 d--------	C:\Documents and Settings\All Users\Application Data\Adobe
2006-11-18	19:20 d--------	C:\Program Files\Adobe
2006-11-18	18:52 d--hs----	C:\RECYCLER
2006-11-18	18:51 d--------	C:\Downloads
2006-11-18	18:40 d--------	C:\Documents and Settings\NYL\Application Data\Locktime
2006-11-18	18:32	17,920	--a------	C:\WINDOWS\system32\mdimon.dll
2006-11-18	18:26 d--------	C:\Program Files\Microsoft ActiveSync
2006-11-18	18:25 d--------	C:\Program Files\Common Files\DESIGNER
2006-11-18	18:24 d--------	C:\WINDOWS\SHELLNEW
2006-11-18	18:24 d--------	C:\Program Files\Microsoft.NET
2006-11-18	18:24 d--------	C:\Program Files\Microsoft Office
2006-11-18	18:11 d--------	C:\Program Files\MessengerPlus! 3
2006-11-18	18:08 d--------	C:\Program Files\FlashGet
2006-11-18	18:06 d--------	C:\Program Files\NetLimiter 2 Pro
2006-11-18	18:06 d--------	C:\Documents and Settings\All Users\Application Data\Locktime
2006-11-18	18:05	502,208	--a------	C:\WINDOWS\system32\drivers\amon.sys
2006-11-18	18:05	270,336	--a------	C:\WINDOWS\system32\imon.dll
2006-11-18	18:03 d--------	C:\Program Files\ESET
2006-11-18	18:00 d--------	C:\Program Files\Google
2006-11-18	17:57 d--------	C:\Program Files\Common Files\xing shared
2006-11-18	17:54 d--------	C:\Documents and Settings\NYL\Application Data\Real
2006-11-18	17:52 d--------	C:\Program Files\WinRAR
2006-11-18	17:42 d--------	C:\Documents and Settings\NYL\Contacts
2006-11-18	17:38	36,484	--a------	C:\WINDOWS\system32\drivers\SMBios.sys
2006-11-18	17:38 d--------	C:\TempEI4
2006-11-18	17:35 d--------	C:\Documents and Settings\NYL\Application Data\AOL
2006-11-18	17:33	368,912	--a------	C:\WINDOWS\system32\vbar332.dll
2006-11-18	17:33	173,184	--a------	C:\WINDOWS\system32\ygpss.scr
2006-11-18	17:33	118,784	--a------	C:\WINDOWS\system32\Msstdfmt.dll
2006-11-18	17:33	102,400	--a------	C:\WINDOWS\system32\SimpleRegistry.dll
2006-11-18	17:33	10,752	--a------	C:\WINDOWS\system32\aamd532.dll
2006-11-18	17:33 d--------	C:\WINDOWS\occache
2006-11-18	17:33 d--------	C:\Program Files\Viewpoint
2006-11-18	17:33 d--------	C:\Program Files\Learn2.com
2006-11-18	17:33 d--------	C:\Program Files\Common Files\aolback
2006-11-18	17:33 d--------	C:\Program Files\AOL Companion
2006-11-18	17:33 d--------	C:\Documents and Settings\NYL\Application Data\You've Got Pictures Screensaver
2006-11-18	17:33 d--------	C:\Documents and Settings\All Users\Application Data\Viewpoint
2006-11-18	17:32	86,016	--a------	C:\WINDOWS\unvise32qt.exe
2006-11-18	17:32 d--------	C:\Program Files\QuickTime
2006-11-18	17:32 d--------	C:\Program Files\Common Files\Nullsoft
2006-11-18	17:32 d--------	C:\Program Files\AOL Toolbar
2006-11-18	17:32 d--------	C:\Documents and Settings\All Users\Application Data\QuickTime
2006-11-18	17:31	8,552	--a------	C:\WINDOWS\system32\drivers\asctrm.sys
2006-11-18	17:31 d----c---	C:\WINDOWS\system32\DRVSTORE
2006-11-18	17:31 d--------	C:\My Music
2006-11-18	17:30 d--------	C:\Program Files\Real
2006-11-18	17:30 d--------	C:\Program Files\Common Files\Real
2006-11-18	17:28	80,896	--a------	C:\WINDOWS\1Sy.exe
2006-11-18	17:28	54,784	--a------	C:\WINDOWS\system32\Inetwh32.dll
2006-11-18	17:28	50,176	--a------	C:\WINDOWS\system32\msdll.dll
2006-11-18	17:28	42,496	--a------	C:\WINDOWS\system32\ztdll.dll
2006-11-18	17:28	40,960	--a------	C:\WINDOWS\system32\wldll.dll
2006-11-18	17:28	39,936	--a------	C:\WINDOWS\rxdll.dll
2006-11-18	17:28	39,424	---hs----	C:\WINDOWS\system32\gqbote.dll
2006-11-18	17:28	38,912	--a------	C:\WINDOWS\system32\xydll.dll
2006-11-18	17:28	37,818	--a------	C:\WINDOWS\3Sy.exe
2006-11-18	17:28	37,376	--a------	C:\WINDOWS\7Sy.exe
2006-11-18	17:28	33,280	--a------	C:\WINDOWS\system32\dllwm.dll
2006-11-18	17:28	28,459	--a------	C:\WINDOWS\4Sy.exe
2006-11-18	17:28	153,088	--a------	C:\WINDOWS\system32\jgdwmie.dll
2006-11-18	17:28	1,060,864	--a------	C:\WINDOWS\system32\mfc71.dll
2006-11-18	17:28	1,044,480	--a------	C:\WINDOWS\system32\roboex32.dll
2006-11-18	17:28 d--------	C:\WINDOWS\Download
2006-11-18	17:28 d--------	C:\WINDOWS\down
2006-11-18	17:28 d--------	C:\Program Files\Microsoft
2006-11-18	17:27	35,328	--a------	C:\WINDOWS\0Sy.exe
2006-11-18	17:27	27,136	--a------	C:\WINDOWS\Dll.dll
2006-11-18	17:27 d--------	C:\WINDOWS\Intel
2006-11-18	17:27 d--------	C:\Program Files\Common Files\aolshare
2006-11-18	17:27 d--------	C:\Program Files\AOL 9.0
2006-11-18	17:27 d--------	C:\Documents and Settings\All Users\Application Data\AOL
2006-11-18	17:26 d--------	C:\Program Files\Common Files\AOL
2006-11-18	17:20 d--h-----	C:\Program Files\Uninstall Information
2006-11-18	17:20 d--------	C:\Documents and Settings\NYL\Application Data\Identities
2006-11-18	17:19 d--------	C:\Program Files\Windows Media Connect
2006-11-18	17:17	947,472	--a------	C:\WINDOWS\system32\msjava.dll
2006-11-18	17:17	63,248	--a------	C:\WINDOWS\system32\javaprxy.dll
2006-11-18	17:17	49,424	--a------	C:\WINDOWS\system32\clspack.exe
2006-11-18	17:17	46,352	--a------	C:\WINDOWS\setdebug.exe
2006-11-18	17:17	404,752	--a------	C:\WINDOWS\system32\javart.dll
2006-11-18	17:17	313,856	--a------	C:\WINDOWS\system32\dx3j.dll
2006-11-18	17:17	286,992	--a------	C:\WINDOWS\system32\vmhelper.dll
2006-11-18	17:17	21,264	--a------	C:\WINDOWS\system32\msjdbc10.dll
2006-11-18	17:17	187,152	--a------	C:\WINDOWS\system32\javacypt.dll
2006-11-18	17:17	172,304	--a------	C:\WINDOWS\system32\jview.exe
2006-11-18	17:17	171,792	--a------	C:\WINDOWS\system32\wjview.exe
2006-11-18	17:17	171,280	--a------	C:\WINDOWS\system32\jit.dll
2006-11-18	17:17	154,384	--a------	C:\WINDOWS\system32\msawt.dll
2006-11-18	17:17	15,120	--a------	C:\WINDOWS\system32\jdbgmgr.exe
2006-11-18	17:17	139,536	--a------	C:\WINDOWS\system32\javaee.dll
2006-11-18	17:17	113	--a------	C:\WINDOWS\system32\zonedon.reg
2006-11-18	17:17	113	--a------	C:\WINDOWS\system32\zonedoff.reg
2006-11-18	17:17 d--------	C:\WINDOWS\Downloaded Installations
2006-11-18	17:17 d--------	C:\Program Files\Windows Journal Viewer
2006-11-18	17:17 d--------	C:\Program Files\HighMAT CD Writing Wizard
2006-11-18	17:17 d--------	C:\Documents and Settings\NYL\Application Data\Macromedia
2006-11-18	17:16 d--------	C:\Program Files\MSN Messenger
2006-11-18	17:13 dr--s----	C:\WINDOWS\assembly
2006-11-18	17:13 d--------	C:\WINDOWS\system32\URTTemp
2006-11-18	17:13 d--------	C:\WINDOWS\Microsoft.NET
2006-11-18	17:12 dr-h-----	C:\Documents and Settings\NYL\SendTo
2006-11-18	17:12 dr-h-----	C:\Documents and Settings\NYL\Recent
2006-11-18	17:12 dr-h-----	C:\Documents and Settings\NYL\Application Data\.
2006-11-18	17:12 dr-h-----	C:\Documents and Settings\NYL\Application Data
2006-11-18	17:12 dr-------	C:\Documents and Settings\NYL\My Documents
2006-11-18	17:12 dr-------	C:\Documents and Settings\NYL\Favorites
2006-11-18	17:12 d--h-----	C:\Documents and Settings\NYL\Templates
2006-11-18	17:12 d--h-----	C:\Documents and Settings\NYL\PrintHood
2006-11-18	17:12 d--h-----	C:\Documents and Settings\NYL\NetHood
2006-11-18	17:12 d--h-----	C:\Documents and Settings\NYL\Local Settings
2006-11-18	17:12 d---s----	C:\Documents and Settings\NYL\Cookies
2006-11-18	17:12 d---s----	C:\Documents and Settings\NYL\Application Data\Microsoft
2006-11-18	17:12 d--------	C:\Documents and Settings\NYL\Application Data\..
2006-11-18	17:12 d--------	C:\Documents and Settings\NYL\???????
2006-11-18	17:12 d--------	C:\Documents and Settings\NYL\??
2006-11-18	17:12 d--------	C:\Documents and Settings\NYL\..
2006-11-18	17:12 d--------	C:\Documents and Settings\NYL\.
2006-11-18	17:11 d--------	C:\WINDOWS\SoftwareDistribution
2006-11-18	17:10 d---s----	C:\WINDOWS\system32\Microsoft
2006-11-18	17:10 d--------	C:\WINDOWS\Prefetch
2006-11-18	17:04 d--------	C:\WINDOWS\system32\xircom
2006-11-18	17:04 d--------	C:\Program Files\xerox
2006-11-18	17:04 d--------	C:\Program Files\microsoft frontpage
2006-11-18	17:00	0	-rahs----	C:\MSDOS.SYS
2006-11-18	17:00	0	-rahs----	C:\IO.SYS
2006-11-18	17:00	0	--a------	C:\CONFIG.SYS
2006-11-18	17:00	0	--a------	C:\AUTOEXEC.BAT
2006-11-18	17:00 d--h-----	C:\WINDOWS\$hf_mig$
2006-11-18	16:59	112,128	--a------	C:\WINDOWS\system32\mapi32.dll
2006-11-18	16:57 dr-------	C:\WINDOWS\Offline Web Pages
2006-11-18	16:57 d--hs----	C:\Documents and Settings\All Users\DRM
2006-11-18	16:57 d--h-----	C:\Program Files\WindowsUpdate
2006-11-18	16:57 d---s----	C:\WINDOWS\Downloaded Program Files
2006-11-18	16:57 d--------	C:\Program Files\Online Services
2006-11-18	16:56	64,512	--a------	C:\WINDOWS\system32\acctres.dll
2006-11-18	16:56	16,384	--a------	C:\WINDOWS\system32\icfgnt5.dll
2006-11-18	16:56	12,288	--a------	C:\WINDOWS\system32\nmevtmsg.dll
2006-11-18	16:56	11,264	--a------	C:\WINDOWS\system32\atrace.dll
2006-11-18	16:56 d---s----	C:\WINDOWS\Tasks
2006-11-18	16:56 d--------	C:\WINDOWS\system32\Macromed
2006-11-18	16:56 d--------	C:\WINDOWS\system32\DirectX
2006-11-18	16:56 d--------	C:\WINDOWS\srchasst
2006-11-18	16:56 d--------	C:\Program Files\Common Files\Services
2006-11-18	16:56 d--------	C:\Program Files\Common Files\MSSoap
2006-11-18	16:55	81,920	--a------	C:\WINDOWS\system32\ils.dll
2006-11-18	16:55	8,192	--a------	C:\WINDOWS\system32\bitsprx2.dll
2006-11-18	16:55	73,728	--a------	C:\WINDOWS\system32\isign32.dll
2006-11-18	16:55	73,216	--a------	C:\WINDOWS\system32\drivers\sr.sys
2006-11-18	16:55	7,168	--a------	C:\WINDOWS\system32\bitsprx3.dll
2006-11-18	16:55	69,632	--a------	C:\WINDOWS\system32\msconf.dll
2006-11-18	16:55	679,424	--a------	C:\WINDOWS\system32\inetcomm.dll
2006-11-18	16:55	67,072	--a------	C:\WINDOWS\system32\srclient.dll
2006-11-18	16:55	65,536	--a------	C:\WINDOWS\system32\icwphbk.dll
2006-11-18	16:55	65,536	--a------	C:\WINDOWS\system32\icwdial.dll
2006-11-18	16:55	6,656	--a------	C:\WINDOWS\system32\wuauserv.dll
2006-11-18	16:55	45,568	--a------	C:\WINDOWS\system32\safrslv.dll
2006-11-18	16:55	43,520	--a------	C:\WINDOWS\system32\safrcdlg.dll
2006-11-18	16:55	43,008	--a------	C:\WINDOWS\system32\racpldlg.dll
2006-11-18	16:55	426,496	--a------	C:\WINDOWS\system32\wuapi.dll
2006-11-18	16:55	382,464	--a------	C:\WINDOWS\system32\qmgr.dll
2006-11-18	16:55	38,912	--a------	C:\WINDOWS\system32\inetres.dll
2006-11-18	16:55	36,864	--a------	C:\WINDOWS\system32\wups.dll
2006-11-18	16:55	34,560	--a------	C:\WINDOWS\system32\mnmdd.dll
2006-11-18	16:55	32,768	--a------	C:\WINDOWS\system32\mnmsrvc.exe
2006-11-18	16:55	32,768	--a------	C:\WINDOWS\system32\isrdbg32.dll
2006-11-18	16:55	29,696	--a------	C:\WINDOWS\system32\safrdm.dll
2006-11-18	16:55	28,672	--a------	C:\WINDOWS\system32\nmmkcert.dll
2006-11-18	16:55	260,608	--a------	C:\WINDOWS\system32\mstask.dll
2006-11-18	16:55	253,952	--a------	C:\WINDOWS\system32\inetcfg.dll
2006-11-18	16:55	252,928	--a------	C:\WINDOWS\system32\msoeacct.dll
2006-11-18	16:55	233,984	--a------	C:\WINDOWS\system32\srrstr.dll
2006-11-18	16:55	22,528	--a------	C:\WINDOWS\system32\fltMc.exe
2006-11-18	16:55	185,344	--a------	C:\WINDOWS\system32\schedsvc.dll
2006-11-18	16:55	180,224	--a------	C:\WINDOWS\system32\wuaueng1.dll
2006-11-18	16:55	18,944	--a------	C:\WINDOWS\system32\qmgrprxy.dll
2006-11-18	16:55	168,960	--a------	C:\WINDOWS\system32\srsvc.dll
2006-11-18	16:55	16,896	--a------	C:\WINDOWS\system32\fltlib.dll
2006-11-18	16:55	159,232	--a------	C:\WINDOWS\system32\wuauclt1.exe
2006-11-18	16:55	124,800	--a------	C:\WINDOWS\system32\drivers\fltMgr.sys
2006-11-18	16:55	120,320	--a------	C:\WINDOWS\system32\wuweb.dll
2006-11-18	16:55	11,776	--a------	C:\WINDOWS\system32\mstinit.exe
2006-11-18	16:55	109,568	--a------	C:\WINDOWS\system32\wucltui.dll
2006-11-18	16:55	108,032	--a------	C:\WINDOWS\system32\wuauclt.exe
2006-11-18	16:55	105,984	--a------	C:\WINDOWS\system32\msoert2.dll
2006-11-18	16:55	1,134,592	--a------	C:\WINDOWS\system32\wuaueng.dll
2006-11-18	16:55 d--------	C:\WINDOWS\system32\Restore
2006-11-18	16:55 d--------	C:\Program Files\Outlook Express
2006-11-18	16:55 d--------	C:\Program Files\NetMeeting
2006-11-18	16:55 d--------	C:\Program Files\Movie Maker
2006-11-18	16:55 d--------	C:\Program Files\Internet Explorer
2006-11-18	16:55 d--------	C:\Program Files\Common Files\System
2006-11-18	16:54 d--------	C:\WINDOWS\Registration
2006-11-18	16:54 d--------	C:\Program Files\ComPlus Applications
2006-11-18	16:53	97,280	--a------	C:\WINDOWS\system32\clipbrd.exe
2006-11-18	16:53	949,248	--a------	C:\WINDOWS\system32\msdtctm.dll
2006-11-18	16:53	93,696	--a------	C:\WINDOWS\system32\tscfgwmi.dll
2006-11-18	16:53	90,112	--a------	C:\WINDOWS\system32\mtxoci.dll
2006-11-18	16:53	87,176	--a------	C:\WINDOWS\system32\rdpwsx.dll
2006-11-18	16:53	85,504	--a------	C:\WINDOWS\system32\catsrvps.dll
2006-11-18	16:53	82,432	--a------	C:\WINDOWS\system32\comrepl.dll
2006-11-18	16:53	80,384	--a------	C:\WINDOWS\system32\charmap.exe
2006-11-18	16:53	73,216	--a------	C:\WINDOWS\system32\avwav.dll
2006-11-18	16:53	67,072	--a------	C:\WINDOWS\system32\rdshost.exe
2006-11-18	16:53	655,360	--a------	C:\WINDOWS\system32\mstscax.dll
2006-11-18	16:53	628,224	--a------	C:\WINDOWS\system32\catsrvut.dll
2006-11-18	16:53	62,464	--a------	C:\WINDOWS\system32\rdpclip.exe
2006-11-18	16:53	62,464	--a------	C:\WINDOWS\system32\colbact.dll
2006-11-18	16:53	605,696	--a------	C:\WINDOWS\system32\getuname.dll
2006-11-18	16:53	6,144	--a------	C:\WINDOWS\system32\msdtc.exe
2006-11-18	16:53	58,880	--a------	C:\WINDOWS\system32\msdtclog.dll
2006-11-18	16:53	57,344	--a------	C:\WINDOWS\system32\remotepg.dll
2006-11-18	16:53	56,832	--a------	C:\WINDOWS\system32\sol.exe
2006-11-18	16:53	55,296	--a------	C:\WINDOWS\system32\freecell.exe
2006-11-18	16:53	540,160	--a------	C:\WINDOWS\system32\comuid.dll
2006-11-18	16:53	54,272	--a------	C:\WINDOWS\system32\stclient.dll
2006-11-18	16:53	537,088	--a------	C:\WINDOWS\system32\spider.exe
2006-11-18	16:53	501,248	--a------	C:\WINDOWS\system32\clbcatq.dll
2006-11-18	16:53	5,632	--a------	C:\WINDOWS\system32\write.exe
2006-11-18	16:53	5,120	--a------	C:\WINDOWS\system32\dcomcnfg.exe
2006-11-18	16:53	44,544	--a------	C:\WINDOWS\system32\tscupgrd.exe
2006-11-18	16:53	44,544	--a------	C:\WINDOWS\system32\hticons.dll
2006-11-18	16:53	425,472	--a------	C:\WINDOWS\system32\msdtcprx.dll
2006-11-18	16:53	4,096	--a------	C:\WINDOWS\system32\rdpcfgex.dll
2006-11-18	16:53	4,096	--a------	C:\WINDOWS\system32\mtxex.dll
2006-11-18	16:53	390,656	--a------	C:\WINDOWS\system32\mstsc.exe
2006-11-18	16:53	38,400	--a------	C:\WINDOWS\system32\cfgbkend.dll
2006-11-18	16:53	35,328	--a------	C:\WINDOWS\system32\winchat.exe
2006-11-18	16:53	334,848	-ra------	C:\WINDOWS\system32\hypertrm.dll
2006-11-18	16:53	332,800	--a------	C:\WINDOWS\system32\mspaint.exe
2006-11-18	16:53	33,792	--a------	C:\WINDOWS\system32\regini.exe
2006-11-18	16:53	286,208	--a------	C:\WINDOWS\system32\termsrv.dll
2006-11-18	16:53	26,624	--a------	C:\WINDOWS\system32\qwinsta.exe
2006-11-18	16:53	25,600	--a------	C:\WINDOWS\system32\comaddin.dll
2006-11-18	16:53	25,088	--a------	C:\WINDOWS\system32\mtxlegih.dll
2006-11-18	16:53	25,088	--a------	C:\WINDOWS\system32\msg.exe
2006-11-18	16:53	229,888	--a------	C:\WINDOWS\system32\catsrv.dll
2006-11-18	16:53	227,840	--a------	C:\WINDOWS\system32\avtapi.dll
2006-11-18	16:53	22,528	--a------	C:\WINDOWS\system32\qprocess.exe
2006-11-18	16:53	21,896	--a------	C:\WINDOWS\system32\drivers\tdtcp.sys
2006-11-18	16:53	20,480	--a------	C:\WINDOWS\system32\mtxdm.dll
2006-11-18	16:53	19,968	--a------	C:\WINDOWS\system32\rdpsnd.dll
2006-11-18	16:53	19,456	--a------	C:\WINDOWS\system32\tsshutdn.exe
2006-11-18	16:53	18,944	--a------	C:\WINDOWS\system32\qappsrv.exe
2006-11-18	16:53	18,432	--a------	C:\WINDOWS\system32\tskill.exe
2006-11-18	16:53	18,432	--a------	C:\WINDOWS\system32\rwinsta.exe
2006-11-18	16:53	171,008	--a------	C:\WINDOWS\system32\accwiz.exe
2006-11-18	16:53	17,408	--a------	C:\WINDOWS\system32\tscon.exe
2006-11-18	16:53	17,408	--a------	C:\WINDOWS\system32\logoff.exe
2006-11-18	16:53	161,280	--a------	C:\WINDOWS\system32\msdtcuiu.dll
2006-11-18	16:53	16,896	--a------	C:\WINDOWS\system32\tsdiscon.exe
2006-11-18	16:53	16,896	--a------	C:\WINDOWS\system32\shadow.exe
2006-11-18	16:53	16,384	--a------	C:\WINDOWS\system32\avmeter.dll
2006-11-18	16:53	15,872	--a------	C:\WINDOWS\system32\cdmodem.dll
2006-11-18	16:53	147,968	--a------	C:\WINDOWS\system32\rdchost.dll
2006-11-18	16:53	147,456	--a------	C:\WINDOWS\system32\comsnap.dll
2006-11-18	16:53	139,400	--a------	C:\WINDOWS\system32\drivers\rdpwd.sys
2006-11-18	16:53	138,752	--a------	C:\WINDOWS\system32\sndvol32.exe
2006-11-18	16:53	136,704	--a------	C:\WINDOWS\system32\sessmgr.exe
2006-11-18	16:53	13,824	--a------	C:\WINDOWS\system32\rdsaddin.exe
2006-11-18	16:53	128,000	--a------	C:\WINDOWS\system32\sndrec32.exe
2006-11-18	16:53	126,976	--a------	C:\WINDOWS\system32\mshearts.exe
2006-11-18	16:53	12,040	--a------	C:\WINDOWS\system32\drivers\tdpipe.sys
2006-11-18	16:53	119,808	--a------	C:\WINDOWS\system32\winmine.exe
2006-11-18	16:53	119,808	--a------	C:\WINDOWS\system32\mplay32.exe
2006-11-18	16:53	114,688	--a------	C:\WINDOWS\system32\calc.exe
2006-11-18	16:53	110,080	--a------	C:\WINDOWS\system32\clbcatex.dll
2006-11-18	16:53	11,776	--a------	C:\WINDOWS\system32\xolehlp.dll
2006-11-18	16:53	11,264	--a------	C:\WINDOWS\system32\icaapi.dll
2006-11-18	16:53	10,752	--a------	C:\WINDOWS\system32\reset.exe
2006-11-18	16:53	1,251,840	--a------	C:\WINDOWS\system32\comsvcs.dll
2006-11-18	16:53	1,062	--a------	C:\WINDOWS\system32\usrlogon.cmd
2006-11-18	16:53 d--------	C:\WINDOWS\system32\MsDtc
2006-11-18	16:53 d--------	C:\WINDOWS\system32\Com
2006-11-18	16:53 d--------	C:\Program Files\Windows NT
2006-11-18	16:53 d--------	C:\Program Files\Windows Media Player
2006-11-18	16:53 d--------	C:\Program Files\MSN Gaming Zone
2006-11-18	16:53 d--------	C:\Program Files\Messenger
2006-11-18	16:52	58,880	--a------	C:\WINDOWS\system32\licwmi.dll
2006-11-18	16:52	55,296	--a------	C:\WINDOWS\system32\servdeps.dll
2006-11-18	16:52	40,840	--a------	C:\WINDOWS\system32\drivers\termdd.sys
2006-11-18	16:52	196,864	--a------	C:\WINDOWS\system32\drivers\rdpdr.sys
2006-11-18	16:52	173,568	--a------	C:\WINDOWS\system32\cmprops.dll
2006-11-18	16:52	16,896	--a------	C:\WINDOWS\system32\mmfutil.dll
2006-11-18	16:26 dr-hsc---	C:\WINDOWS\system32\dllcache
2006-11-18	16:26 dr--s----	C:\WINDOWS\Fonts
2006-11-18	16:26 dr-------	C:\WINDOWS\Web
2006-11-18	16:26 d--hs----	C:\WINDOWS\..
2006-11-18	16:26 d--h-----	C:\WINDOWS\inf
2006-11-18	16:26 d--------	C:\WINDOWS\WinSxS
2006-11-18	16:26 d--------	C:\WINDOWS\twain_32
2006-11-18	16:26 d--------	C:\WINDOWS\Temp
2006-11-18	16:26 d--------	C:\WINDOWS\system32\wins
2006-11-18	16:26 d--------	C:\WINDOWS\system32\wbem
2006-11-18	16:26 d--------	C:\WINDOWS\system32\usmt


----------



## yingybaby (Nov 14, 2006)

2006-11-18	16:26 d--------	C:\WINDOWS\system32\spool
2006-11-18	16:26 d--------	C:\WINDOWS\system32\ShellExt
2006-11-18	16:26 d--------	C:\WINDOWS\system32\Setup
2006-11-18	16:26 d--------	C:\WINDOWS\system32\ras
2006-11-18	16:26 d--------	C:\WINDOWS\system32\oobe
2006-11-18	16:26 d--------	C:\WINDOWS\system32\npp
2006-11-18	16:26 d--------	C:\WINDOWS\system32\mui
2006-11-18	16:26 d--------	C:\WINDOWS\system32\inetsrv
2006-11-18	16:26 d--------	C:\WINDOWS\system32\IME
2006-11-18	16:26 d--------	C:\WINDOWS\system32\icsxml
2006-11-18	16:26 d--------	C:\WINDOWS\system32\ias
2006-11-18	16:26 d--------	C:\WINDOWS\system32\export
2006-11-18	16:26 d--------	C:\WINDOWS\system32\drivers\etc
2006-11-18	16:26 d--------	C:\WINDOWS\system32\drivers\disdn
2006-11-18	16:26 d--------	C:\WINDOWS\system32\drivers\..
2006-11-18	16:26 d--------	C:\WINDOWS\system32\drivers\.
2006-11-18	16:26 d--------	C:\WINDOWS\system32\drivers
2006-11-18	16:26 d--------	C:\WINDOWS\system32\dhcp
2006-11-18	16:26 d--------	C:\WINDOWS\system32\config
2006-11-18	16:26 d--------	C:\WINDOWS\system32\3com_dmi
2006-11-18	16:26 d--------	C:\WINDOWS\system32\3076
2006-11-18	16:26 d--------	C:\WINDOWS\system32\2052
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1054
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1042
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1041
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1037
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1033
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1031
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1028
2006-11-18	16:26 d--------	C:\WINDOWS\system32\1025
2006-11-18	16:26 d--------	C:\WINDOWS\system32\..
2006-11-18	16:26 d--------	C:\WINDOWS\system32\.
2006-11-18	16:26 d--------	C:\WINDOWS\system32
2006-11-18	16:26 d--------	C:\WINDOWS\system\..
2006-11-18	16:26 d--------	C:\WINDOWS\system\.
2006-11-18	16:26 d--------	C:\WINDOWS\system
2006-11-18	16:26 d--------	C:\WINDOWS\security
2006-11-18	16:26 d--------	C:\WINDOWS\Resources
2006-11-18	16:26 d--------	C:\WINDOWS\repair
2006-11-18	16:26 d--------	C:\WINDOWS\Provisioning
2006-11-18	16:26 d--------	C:\WINDOWS\PeerNet
2006-11-18	16:26 d--------	C:\WINDOWS\pchealth
2006-11-18	16:26 d--------	C:\WINDOWS\mui
2006-11-18	16:26 d--------	C:\WINDOWS\msapps
2006-11-18	16:26 d--------	C:\WINDOWS\msagent
2006-11-18	16:26 d--------	C:\WINDOWS\Media
2006-11-18	16:26 d--------	C:\WINDOWS\java
2006-11-18	16:26 d--------	C:\WINDOWS\ime
2006-11-18	16:26 d--------	C:\WINDOWS\Help
2006-11-18	16:26 d--------	C:\WINDOWS\ehome
2006-11-18	16:26 d--------	C:\WINDOWS\Driver Cache
2006-11-18	16:26 d--------	C:\WINDOWS\Debug
2006-11-18	16:26 d--------	C:\WINDOWS\Cursors
2006-11-18	16:26 d--------	C:\WINDOWS\Connection Wizard
2006-11-18	16:26 d--------	C:\WINDOWS\Config
2006-11-18	16:26 d--------	C:\WINDOWS\AppPatch
2006-11-18	16:26 d--------	C:\WINDOWS\addins
2006-11-18	16:26 d--------	C:\WINDOWS\.
2006-11-18	16:26 d--------	C:\WINDOWS
2006-11-18	08:45	82,944	--a------	C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-18	08:45	7,552	--a------	C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-11-18	08:45	60,800	--a------	C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-18	08:45	6,400	--a------	C:\WINDOWS\system32\drivers\splitter.sys
2006-11-18	08:45	54,272	--a------	C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-18	08:45	52,864	--a------	C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-18	08:45	5,376	--a------	C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-11-18	08:45	4,992	--a------	C:\WINDOWS\system32\drivers\MSPQM.sys
2006-11-18	08:45	3,072	--a------	C:\WINDOWS\system32\drivers\audstub.sys
2006-11-18	08:45	2,944	--a------	C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-18	08:45	171,776	--a------	C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-18	08:45	142,464	--a------	C:\WINDOWS\system32\drivers\aec.sys
2006-11-18	08:44	54,912	--a------	C:\WINDOWS\system32\drivers\redbook.sys
2006-11-18	08:44	21,504	--a------	C:\WINDOWS\system32\hidserv.dll
2006-11-18	08:44	2,944	--a------	C:\WINDOWS\system32\drivers\msmpu401.sys
2006-11-18	08:44	16,128	--a------	C:\WINDOWS\system32\drivers\MODEMCSA.sys
2006-11-18	08:43	86,016	--a------	C:\WINDOWS\system32\mdmxsdk.dll
2006-11-18	08:43	685,056	--a------	C:\WINDOWS\system32\drivers\HSFCXTS2.sys
2006-11-18	08:43	6,400	--a------	C:\WINDOWS\system32\drivers\enum1394.sys
2006-11-18	08:43	4,274,816	--a------	C:\WINDOWS\system32\nv4_disp.dll
2006-11-18	08:43	32,285	--a------	C:\WINDOWS\system32\HSFCISP2.dll
2006-11-18	08:43	220,032	--a------	C:\WINDOWS\system32\drivers\HSFBS2S2.sys
2006-11-18	08:43	20,992	--a------	C:\WINDOWS\system32\drivers\RTL8139.sys
2006-11-18	08:43	11,868	--a------	C:\WINDOWS\system32\drivers\mdmxsdk.sys
2006-11-18	08:43	10,624	--a------	C:\WINDOWS\system32\drivers\gameenum.sys
2006-11-18	08:43	1,897,408	--a------	C:\WINDOWS\system32\drivers\nv4_mini.sys
2006-11-18	08:43	1,041,536	--a------	C:\WINDOWS\system32\drivers\HSFDPSP2.sys
2006-11-18	08:42	96,256	--a------	C:\WINDOWS\system32\drivers\ac97intc.sys
2006-11-18	08:42	65,536	--a------	C:\WINDOWS\system32\usbui.dll
2006-11-18	08:42	60,288	--a------	C:\WINDOWS\system32\drivers\drmk.sys
2006-11-18	08:42	42,368	--a------	C:\WINDOWS\system32\drivers\AGP440.SYS
2006-11-18	08:42	4,096	--a------	C:\WINDOWS\system32\ksuser.dll
2006-11-18	08:42	145,792	--a------	C:\WINDOWS\system32\drivers\portcls.sys
2006-11-18	08:41 dr-------	C:\Program Files\Common Files\..
2006-11-18	08:41 dr-------	C:\Program Files\.
2006-11-18	08:41 dr-------	C:\Program Files
2006-11-18	08:41 d--hs----	C:\WINDOWS\Installer
2006-11-18	08:41 d--hs----	C:\Program Files\..
2006-11-18	08:41 d--------	C:\Program Files\Common Files\SpeechEngines
2006-11-18	08:41 d--------	C:\Program Files\Common Files\ODBC
2006-11-18	08:41 d--------	C:\Program Files\Common Files\Microsoft Shared
2006-11-18	08:41 d--------	C:\Program Files\Common Files\.
2006-11-18	08:41 d--------	C:\Program Files\Common Files
2006-11-18	08:40	98,304	--a------	C:\WINDOWS\system32\msir3jp.dll
2006-11-18	08:40	8,192	-ra------	C:\WINDOWS\system32\kbdhept.dll
2006-11-18	08:40	70,656	--a------	C:\WINDOWS\system32\korwbrkr.dll
2006-11-18	08:40	7,168	-ra------	C:\WINDOWS\system32\kbdcz.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdycl.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdsl1.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdsl.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdpl.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdhu.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdhela3.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdcz2.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdcz1.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\kbdcr.dll
2006-11-18	08:40	6,656	-ra------	C:\WINDOWS\system32\KBDAL.DLL
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdtuq.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdtuf.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdlv1.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdlv.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdhela2.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdgkl.dll
2006-11-18	08:40	6,144	-ra------	C:\WINDOWS\system32\kbdest.dll
2006-11-18	08:40	6,144	--a------	C:\WINDOWS\system32\kbd101a.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdycc.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbduzb.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdur.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdtat.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdru1.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdru.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdro.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdpl1.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdmon.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdlt1.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdlt.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdkyr.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdkaz.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdhu1.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdhe319.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdhe220.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdhe.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdbu.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdblr.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdazel.dll
2006-11-18	08:40	5,632	-ra------	C:\WINDOWS\system32\kbdaze.dll
2006-11-18	08:40	218,112	--a------	C:\WINDOWS\system32\c_g18030.dll
2006-11-18	08:40	1,677,824	--a------	C:\WINDOWS\system32\chsbrkr.dll
2006-11-18	08:39	9,936	--a------	C:\WINDOWS\system\LZEXPAND.DLL
2006-11-18	08:39	9,216	--a------	C:\WINDOWS\system32\kbdnecAT.dll
2006-11-18	08:39	9,008	--a------	C:\WINDOWS\system\VER.DLL
2006-11-18	08:39	85,020	--a------	C:\WINDOWS\system32\dgsetup.dll
2006-11-18	08:39	82,535	--a------	C:\WINDOWS\system\OLECLI.DLL
2006-11-18	08:39	811,064	--a------	C:\WINDOWS\system32\imjp81k.dll
2006-11-18	08:39	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2006-11-18	08:39	8,704	--a------	C:\WINDOWS\system32\batt.dll
2006-11-18	08:39	8,192	--a------	C:\WINDOWS\system32\kbdkor.dll
2006-11-18	08:39	7,680	--a------	C:\WINDOWS\system32\kbdnecNT.dll
2006-11-18	08:39	7,168	--a------	C:\WINDOWS\system32\kbdnec95.dll
2006-11-18	08:39	7,168	--a------	C:\WINDOWS\system32\kbdibm02.dll
2006-11-18	08:39	7,168	--a------	C:\WINDOWS\system32\f3ahvoas.dll
2006-11-18	08:39	69,584	--a------	C:\WINDOWS\system\AVICAP.DLL
2006-11-18	08:39	68,768	--a------	C:\WINDOWS\system\MMSYSTEM.DLL
2006-11-18	08:39	67,584	--a------	C:\WINDOWS\system32\storprop.dll
2006-11-18	08:39	66,560	--a------	C:\WINDOWS\NOTEPAD.EXE
2006-11-18	08:39	6,656	--a------	C:\WINDOWS\system32\kbdlk41a.dll
2006-11-18	08:39	6,656	--a------	C:\WINDOWS\system32\c_is2022.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbdlk41j.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbdax2.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbd106n.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbd106.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbd101c.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbd101b.dll
2006-11-18	08:39	6,144	--a------	C:\WINDOWS\system32\kbd101.dll
2006-11-18	08:39	5,632	--a------	C:\WINDOWS\system32\kbd103.dll
2006-11-18	08:39	5,120	--a------	C:\WINDOWS\system\SHELL.DLL
2006-11-18	08:39	32,880	--a------	C:\WINDOWS\system\COMMDLG.DLL
2006-11-18	08:39	24,661	--a------	C:\WINDOWS\system32\spxcoins.dll
2006-11-18	08:39	24,064	--a------	C:\WINDOWS\system\OLESVR.DLL
2006-11-18	08:39	19,200	--a------	C:\WINDOWS\system\TAPI.DLL
2006-11-18	08:39	176,157	--a------	C:\WINDOWS\system32\dgrpsetu.dll
2006-11-18	08:39	15,360	--a------	C:\WINDOWS\TASKMAN.EXE
2006-11-18	08:39	13,312	--a------	C:\WINDOWS\system32\irclass.dll
2006-11-18	08:39	126,912	--a------	C:\WINDOWS\system\MSVIDEO.DLL
2006-11-18	08:39	11,264	--a------	C:\WINDOWS\system32\drivers\irenum.sys
2006-11-18	08:39	109,456	--a------	C:\WINDOWS\system\AVIFILE.DLL
2006-11-18	08:39	103,424	--a------	C:\WINDOWS\system32\EqnClass.Dll
2006-11-18	08:38 dr-h-----	C:\Documents and Settings\All Users\Application Data\.
2006-11-18	08:38 dr-h-----	C:\Documents and Settings\All Users\Application Data
2006-11-18	08:38 dr-------	C:\Documents and Settings\All Users\Documents
2006-11-18	08:38 d--hs----	C:\System Volume Information
2006-11-18	08:38 d--h-----	C:\Documents and Settings\All Users\Templates
2006-11-18	08:38 d---s----	C:\Documents and Settings\All Users\Application Data\Microsoft
2006-11-18	08:38 d--------	C:\WINDOWS\system32\CatRoot2
2006-11-18	08:38 d--------	C:\WINDOWS\system32\CatRoot
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\Favorites
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\Application Data\..
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\???????
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\??
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\..
2006-11-18	08:38 d--------	C:\Documents and Settings\All Users\.
2006-11-18	08:38 d--------	C:\Documents and Settings

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\" /WinStart"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"AOL Spyware Protection"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"CJIMETIPSYNC"="C:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\CHANGJIE\\CINTLCFG.EXE /CJIMETIPSync"
"PHIMETIPSYNC"="C:\\Program Files\\Common Files\\Microsoft Shared\\IME\\IMTC65\\PHONETIC\\TINTLCFG.EXE /PHIMETIPSync"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Home"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000bd
"NoSharedDocuments"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoSharedDocuments"=dword:00000001
"hx-1"="1"
"hx-2"="2"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"AdobePDF"="{D92D666A-0F7B-5892-A7E8-29340333F07E}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]	
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-22 20:50:12.64 
C:\ComboFix.txt ... 06-11-22 20:50

*HJT log*

Logfile of HijackThis v1.99.1
Scan saved at 20:54:39, on 22/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet to download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet to download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

There are signs of malware in that log. Lets run another set of scans. If these do not pick them-up, we will do it manually.

Click *here* to download *Dr.Web CureIt *and save it to your desktop.

Doubleclick the *drweb-cureit.exe *file and allow to run the express scan
This will scan the files currently running in memory and when something is found, click the *yes* button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click *'Yes to all' *if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: 








If so, click it and then click the next icon right below and select Move incurable as you'll see in next image: 








This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the *Dr.Web CureIt *menu on top, click file and choose save report list
Save the report to your desktop. The report will be called *DrWeb.csv*
*Close Dr.Web Cureit*.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
Please run the *F-Secure Online Scanner*

Note: *This Scanner is for Internet Explorer Only!*
Follow the Instruction Here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click *Full System Scan*
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the *Automatic cleaning (recommended)* button.
Click the *Show Report* button and *Copy&Paste the entire report in your next reply along with the contents of the log from Dr.Web you saved previously and a new HijackThis log*.


----------



## yingybaby (Nov 14, 2006)

when i use f-secure online scanner..
those words didn't show up so i don't know which button i should chose


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybab*y



yingybaby said:


> when i use f-secure online scanner..
> those words didn't show up so i don't know which button i should chose


Let me see *DrWebCureit* log.


----------



## yingybaby (Nov 14, 2006)

oh by the way..
those words finally show on the screen...
now i am doing the f-secure online scanner bit
here is the log


nppdf.dll;c:\program files\internet explorer\plugins;Trojan.MulDrop.4551;Deleted.;
mswmccds.exe;c:\program files\windows media connect;Win32.HLLW.Gavir.46;Deleted.;
mswmcls.exe;c:\program files\windows media connect;Win32.HLLW.Gavir.46;Deleted.;
rundll32.exe;C:\!KillBox;Trojan.PWS.Gamania;Deleted.;
rundll32.exe( 2);C:\!KillBox;Trojan.PWS.Lineage;Deleted.;
svhost32.exe;C:\!KillBox;Trojan.PWS.Lineage;Deleted.;
svhost32.exe( 1);C:\!KillBox;Trojan.PWS.Lineage;Deleted.;
Google Installer.exe\data002;C:\Program Files\Google Installer.exe;Probably DLOADER.Trojan;;
Google Installer.exe;C:\Program Files;Archive contains infected objects;Moved.;
0B5Y3IAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
0QEJMDAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
11BSGNBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
11JA4WBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
13ATQ0DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
1H5X5WDA.NQF;C:\Program Files\ESET\infected;Trojan.PWS.Qqpass.256;Deleted.;
1UNUNXDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
1WC2UPCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
21ROSYAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
2HB2GJCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
3IJJYEDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
40O1ARBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
4B3VFBAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
4IAES1DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
5KKY1UCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
5SEXZQCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
5TOKH0AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
A1KRXICA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
A5JBSVBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
AP3RD3BA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
BCGJCQCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
BCRQJSDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
BXCJ3ICA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
CEUN4CAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
CQGYDDBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
D4SLCFCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
DUUQCRAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
DZUPHMCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
E3IZ22DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
EJY11EBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
EVIGYDBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FAT3WABA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FGZ4XGDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FOJF0EBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FWDFS3CA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FWF2ARBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FX42FIDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
FYP3IABA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
GF4YMYAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
GFQ3SXDA.NQF;C:\Program Files\ESET\infected;Trojan.PWS.Wool;Deleted.;
GJRGAKAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
GREK31BA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
GZKJT5AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
HGSX1PBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
HZI4MLDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
IGEYI4DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
INAPRMBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ISYFO3AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ITAVFCDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
IVAJMUAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
J45CMTCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
JUOIXFBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
JZ2O00CA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
L1I0ONCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
LJVMPSCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
LUY3VBDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
MI00GWDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
MWUMSOBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
NUBSWDBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
OC2VY1CA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
OEB3NTDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ONKILMAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
PQK4CQCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
PTWKITAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
QMBSF0CA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
QNGC4IDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
QNV0Q2DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
R00EDAAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
RSO2DVCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
RUHPBKDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
SIRMTGDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
SKLT44AA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
SLRVDRAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
U3GSQPCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
UJ35D0DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
WBG1RFCA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
WTMXIUDA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
YNAEW5DA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ZRZDKVBA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ZTLIWPAA.NQF;C:\Program Files\ESET\infected;Win32.HLLW.Gavir.46;Deleted.;
ci.dll;C:\Program Files\Google\Google Updater\1.4.681.27779;Probably DLOADER.Trojan;Incurable.Will be moved after reboot.;
GoogleToolbarNotifier.exe;C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008;Win32.HLLW.Gavir.46;Deleted.;
0Sy.exe;C:\Program Files\Internet Explorer;Win32.HLLW.Gavir.46;Deleted.;
nppdfx.dll;C:\Program Files\Internet Explorer\PLUGINS;Trojan.DownLoader.14932;Will be cured after reboot.;
STRunner.exe;C:\Program Files\Learn2.com\StRunner;Win32.HLLW.Gavir.46;Deleted.;
stuninst.exe;C:\Program Files\Learn2.com\StRunner;Win32.HLLW.Gavir.46;Deleted.;
EXCEL.EXE;C:\Program Files\Microsoft Office\OFFICE11;Win32.HLLW.Gavir.46;Deleted.;
WINWORD.EXE;C:\Program Files\Microsoft Office\OFFICE11;Win32.HLLW.Gavir.46;Deleted.;
nl2uninst.exe;C:\Program Files\NetLimiter 2 Pro;Win32.HLLW.Gavir.46;Deleted.;
nlsysinfo.exe;C:\Program Files\NetLimiter 2 Pro\Tools;Win32.HLLW.Gavir.46;Deleted.;
MtsAxInstaller.exe;C:\Program Files\Viewpoint\Viewpoint Experience Technology;Win32.HLLW.Gavir.46;Deleted.;
jntview.exe;C:\Program Files\Windows Journal Viewer;Win32.HLLW.Gavir.46;Deleted.;
mswmc.exe;C:\Program Files\Windows Media Connect;Win32.HLLW.Gavir.46;Deleted.;
wmfdist95.exe;C:\Program Files\Windows Media Connect\Redist;Win32.HLLW.Gavir.46;Deleted.;
migrate.exe;C:\Program Files\Windows Media Player;Win32.HLLW.Gavir.46;Deleted.;
setup_wm.exe;C:\Program Files\Windows Media Player;Win32.HLLW.Gavir.46;Deleted.;
WinRAR.exe;C:\Program Files\WinRAR;Win32.HLLW.Gavir.46;Deleted.;
0Sy.exe;C:\WINDOWS;Trojan.PWS.Lineage;Deleted.;
1Sy.exe;C:\WINDOWS;Trojan.PWS.Gamania;Deleted.;
3Sy.exe;C:\WINDOWS;Trojan.PWS.Lineage;Deleted.;
4Sy.exe;C:\WINDOWS;Trojan.PWS.Lineage;Deleted.;
7Sy.exe;C:\WINDOWS;Trojan.PWS.Lineage;Deleted.;
Dll.dll;C:\WINDOWS;Win32.HLLW.Gavir.38;Deleted.;
rxdll.dll;C:\WINDOWS;Trojan.PWS.Gamania;Deleted.;
dllwm.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
gqbote.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
msdll.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
QQhx.dat;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
wldll.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
xydll.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
ztdll.dll;C:\WINDOWS\system32;Trojan.PWS.Lineage;Deleted.;
SETUP.EXE;D:\office2003\office2003\FRONTPAGE\FILES\OWC10;Win32.HLLW.Gavir.46;Deleted.;
SETUP.EXE;D:\office2003\office2003\FRONTPAGE\FILES\OWC11;Win32.HLLW.Gavir.46;Deleted.;
DW20.EXE;D:\office2003\office2003\FRONTPAGE\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
DWTRIG20.EXE;D:\office2003\office2003\FRONTPAGE\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
OFFCLN.EXE;D:\office2003\office2003\FRONTPAGE\FILES\PFILES\MSOFFICE\OFFICE11;Win32.HLLW.Gavir.46;Deleted.;
OSE.EXE;D:\office2003\office2003\FRONTPAGE\FILES\SETUP;Win32.HLLW.Gavir.46;Deleted.;
DW20.EXE;D:\office2003\office2003\ONENOTE\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
DWTRIG20.EXE;D:\office2003\office2003\ONENOTE\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
OSE.EXE;D:\office2003\office2003\ONENOTE\FILES\SETUP;Win32.HLLW.Gavir.46;Deleted.;
SETUP.EXE;D:\office2003\office2003\PRO\FILES\OWC10;Win32.HLLW.Gavir.46;Deleted.;
SETUP.EXE;D:\office2003\office2003\PRO\FILES\OWC11;Win32.HLLW.Gavir.46;Deleted.;
DW20.EXE;D:\office2003\office2003\PRO\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
DWTRIG20.EXE;D:\office2003\office2003\PRO\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
OFFCLN.EXE;D:\office2003\office2003\PRO\FILES\PFILES\MSOFFICE\OFFICE11;Win32.HLLW.Gavir.46;Deleted.;
OSE.EXE;D:\office2003\office2003\PRO\FILES\SETUP;Win32.HLLW.Gavir.46;Deleted.;
SETUP.EXE;D:\office2003\office2003\PROJECT\FILES\OWC10;Win32.HLLW.Gavir.46;Deleted.;
SETUP.EXE;D:\office2003\office2003\PROJECT\FILES\OWC11;Win32.HLLW.Gavir.46;Deleted.;
DW20.EXE;D:\office2003\office2003\PROJECT\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
DWTRIG20.EXE;D:\office2003\office2003\PROJECT\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
OFFCLN.EXE;D:\office2003\office2003\PROJECT\FILES\PFILES\MSOFFICE\OFFICE11;Win32.HLLW.Gavir.46;Deleted.;
OSE.EXE;D:\office2003\office2003\PROJECT\FILES\SETUP;Win32.HLLW.Gavir.46;Deleted.;
DW20.EXE;D:\office2003\office2003\VISIO\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
DWTRIG20.EXE;D:\office2003\office2003\VISIO\FILES\PFILES\COMMON\MSSHARED\DW;Win32.HLLW.Gavir.46;Deleted.;
OSE.EXE;D:\office2003\office2003\VISIO\FILES\SETUP;Win32.HLLW.Gavir.46;Deleted.;
Adobe DNG Converter.exe;D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe DNG Converter;Win32.HLLW.Gavir.46;Deleted.;
setup.exe;D:\Photoshop_CS2_tryout\Photoshop CS2\Adobe(R) Photoshop(R) CS2;Win32.HLLW.Gavir.46;Deleted.;



can i ask a question...
do you know those exe that i have deleted, will there be a problem if i try to use those infected exe program like google toolbar, microsoft word etc?


----------



## JSntgRvr (Jul 1, 2003)

> can i ask a question...
> do you know those exe that i have deleted, will there be a problem if i try to use those infected exe program like google toolbar, microsoft word etc?


No. These files may represent an Adware component of the program, or a false positive. The files are not beng deleted, but moved to a place whe hey wont affect the system. I we need to recover one of those files, we will throughout the Quarantine. Once these are removed, we will test those programs.

:up:


----------



## yingybaby (Nov 14, 2006)

Scanning Report
Friday, November 24, 2006 09:42:28 - 10:32:53
Computer name: NKL-2AE6AD22A13 
Scanning type: Scan system for viruses, rootkits, spyware 
Target: C:\ D:\ 


--------------------------------------------------------------------------------

Result: 20 malware found
Softomate Toolbar (spyware) 
System (Disinfected) 
Tracking Cookie (spyware) 
System (Disinfected) 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 
System 

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 14656 
System: 3826 
Not scanned: 3 
Actions:
Disinfected: 2 
Renamed: 0 
Deleted: 0 
None: 18 
Submitted: 0 
Files not scanned:
C:\HIBERFIL.SYS 
C:\PAGEFILE.SYS 
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT 

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2006-11-23 
F-Secure AVP: 7.0.171, 2006-11-24 
F-Secure Orion: 1.2.37, 2006-11-23 
F-Secure Blacklight: 1.0.31, 0000-00-00 
F-Secure Draco: 1.0.35, 2006-11-14 
F-Secure Pegasus: 1.19.0, 2006-08-29 
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX 
Use Advanced heuristics


----------



## yingybaby (Nov 14, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 10:39:21, on 24/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\NYL\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk32.exe
C:\DOCUME~1\NYL\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fssm32.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: refernce data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.
_ Modification of the registry can be *EXTREMELY* dangerous if you do not know exactly what you are doing so follow the steps that are listed below *EXACTLY*. if you cannot preform some of these steps or if you have *ANY* questions please ask *BEFORE* proceeding._

*Backing Up Your Registry*
Go *Here* and download *ERUNT* 
_(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)_
Install *ERUNT* by following the prompts 
_(use the default install settings but say no to the portion that asks you to add *ERUNT* to the start-up folder, if you like you can enable this option later)_
Start *ERUNT* 
_(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)_
Choose a location for the backup 
_(the default location is C:\WINDOWS\ERDNT which is acceptable)._
Make sure that at least the first two check boxes are ticked 
Press *OK*
Press *YES* to create the folder.
*Registry Modifications*

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Registry Entries file, *Regfix.reg* . Once extracted, open the folder and double click on the *Regfix.reg* file and select *Yes* when prompted to merge it into the registry.

Restart the computer.* How is it doing?*


----------



## yingybaby (Nov 14, 2006)

what will happen if i do something wrong when i am doing those steps?
after i do something, what can i do about the computer?
what do i need to do after i do all those steps?


----------



## JSntgRvr (Jul 1, 2003)

yingybaby said:


> what will happen if i do something wrong when i am doing those steps?
> after i do something, what can i do about the computer?
> what do i need to do after i do all those steps?


There is a Readme document in the *%Program Files%\ERUNT *folder Read the document. It has various scenarios if Windows fail to boot or the registry gets corrupted.

This fix is a low risk process. If you backup your registry as instructed, and follow the instructions to merge this file into the registry, you shouldn't have any worries.

To be 100% secured, create a Restore Point.


Click *Start*, point to *All Programs*, point to *Accessories*, point to *System Tools*, and then click *System Restore*.
In the System Restore dialog box, click *Create a restore point*, and then click *Next*. 
Type a description for your restore point, such as "Before VirusScan", then click *Create*.

If something goes wrong, restore the computer to that point.

*Let me know how it goes and how is the computer doing.*


----------



## yingybaby (Nov 14, 2006)

after i reboot the computer, nothing change..
i think it's the same as before (maybe i am wrong)
how can i tell if something's wrong?
is it suppose to change or what?


----------



## JSntgRvr (Jul 1, 2003)

yingybaby said:


> after i reboot the computer, nothing change..
> i think it's the same as before (maybe i am wrong)
> how can i tell if something's wrong?
> is it suppose to change or what?


You wont be seeing the changes. These are malware registry entries reported by Combofix. They should now be fixed. How is the computer doing?. Are you still experiencing problems.?


----------



## yingybaby (Nov 14, 2006)

mmm...well i don't think there is a problem anymore
except that window media connect's icon is like when i had virus's
and also i can't uninstall NOD32 antivirus coz it said it can't find the exe file

so far my computer is working good i think(?)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

*Windows Media Connect *(WMC) allows Universal Plug and Play devices to be used by *Windows Media Player*. As Universal Plug and Player is considered a security risk. It can be disabled, unless you need to use it.

In regard to* Nod32*, there are two ways to uninstall, either through the uninstall routine provided by the vendor or using the built-in uninstaller provided by the Windows operating system. In either case, before uninstalling NOD32, ensure all other programs are closed.
To access the vendor-provided uninstall feature, click Start | Programs | Eset | Uninstall. (XP interface users should click Start | All Programs | Eset | Uninstall).

To access the Windows-provided uninstall feature, click Start | Settings | Control Panel then double-click the Add or Remove Programs icon. (XP interface users should click Start | Control Panel and then double-click the Add or Remove Programs icon).
Locate NOD32 on the program list and click Remove.

Following either of the above methods will result in a dialog box asking you to confirm the uninstall. Click Yes.
NOD32 will now be uninstalled. At the end of the uninstall, you will receive a prompt to reboot the system. Select "Restart Now" and click "Finish" to reboot the system.

If you experience problems, download and install the program. Once installed, after a restart re-try the above process. It is reccomended that programs be removed in Safe Mode.

*Let me know your decision./*


----------



## yingybaby (Nov 14, 2006)

for *window media connect* i just need to use *window media player*, i don't think i use *window media connect *before...

for *NOD32*, i've already try those ways before, i tried that Windows-provided uninstall feature first and it unistalled. but the thing is NOD32 icon is still in the bottom right corner, so i checked, the ESSET file is still there.
then i use the ESSET uninstall one, it said it can not find *set.exe* so it can not be uninstalled.


----------



## JSntgRvr (Jul 1, 2003)

yingybaby said:


> for *window media connect* i just need to use *window media player*, i don't think i use *window media connect *before...
> 
> for *NOD32*, i've already try those ways before, i tried that Windows-provided uninstall feature first and it unistalled. but the thing is NOD32 icon is still in the bottom right corner, so i checked, the ESSET file is still there.
> then i use the ESSET uninstall one, it said it can not find *set.exe* so it can not be uninstalled.


Post a Hijackthis log.


----------



## yingybaby (Nov 14, 2006)

Logfile of HijackThis v1.99.1
Scan saved at 21:37:16, on 25/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet to download - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet to download - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)
O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

*Copy the entire contents of the Quote Box * below to *Notepad*. 
Name the file as *DelService.bat* 
Change the *Save as Type* to *All Files * 
and *Save* it on the *desktop* 
 Once saved, double click on the *DelService.bat* file 
 The MSDOS window will flash for a second. That is normal.



> SC Stop NOD32krn
> SC Delete NOD32krn
> SC Stop WmcCdsLs
> SC Delete WmcCdsLs
> ...


*Reboot into safe mode.*

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please go to Start > Control Panel > *Add/Remove Programs* and remove the following (if present):

*Windows Media Connect
NOD32*

Please note any other programs that you dont recognize in that list in your next response

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these *folders* (if present):

*C:\Program Files\Windows Media Connect
C:\Program Files\Eset
*
Restart the computer.

*Post a fresh log and let me know if the situation is resolved.*


----------



## yingybaby (Nov 14, 2006)

i'm in safe mode add/remove programs now...
i can't delete window media connect coz it said i'm in safe mode.
i didn't delete NOD32 coz it's already deleted before

i searched those 2 files, i can delete window media connect 
however i can not delete ESSET, it said it can't delete *nodshex.dll*


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby*  

Download the attached file, unzip it and save it to your *C:\ drive.* (Overwrite the existing one)
When having saved it, the file path should be *C:\remove.txt*
Open the *Avenger*.
Check *Load Script from File *and then click the folder Icon on the right side of that section.
Then browse to *C:\remove.txt* and click *open* to load it.








Then click the *green light* icon.
This will begin the execution of the script currently in memory.
After you have clicked on the green light to begin execution of a script, the Avenger will set itself up to run the next time you reboot your computer, and then will prompt you to restart immediately.
After your system restarts, a log file should open with the results of Avengers actions. This log file is located at *C:\avenger.txt.* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to *C:\avenger\backups.zip.*
Post the contents of the *C:\avenger.txt* file and a fresh *Hijackthis log*.


----------



## yingybaby (Nov 14, 2006)

where is avenger?


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

I thought you had downloaded this program before:

Download and unzip *Avenger* to your desktop.


----------



## yingybaby (Nov 14, 2006)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\jcfbyxao

*******************

Script file located at: \??\C:\Documents and Settings\euapxglo.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Folder c:\program files\windows media connect deleted successfully.
Folder C:\Program Files\Eset deleted successfully.

Completed script processing.

*******************

Logfile of HijackThis v1.99.1
Scan saved at 15:04:05, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet to download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet to download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe

Finished! Terminate.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *yingybaby* 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

I see no Antivirus programs. Please click *Here* to download AVG Free as an Antivirus.

The rest of the log looks clear, Congratulations.









Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
*Spybot Search & Destroy *- Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

*AdAware* - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

*SpywareBlaster* - Great prevention tool to keep nasties from installing on your system.

*SpywareGuard* - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

*IE-SpyAd* - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

*CleanUP*! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

Windows Updates - It is *very important* to make sure that both Internet Explorer and Windows are kept current with *the latest critical security patches* from Microsoft. To do this just start *Internet Explorer* and select *Tools > Windows Update*, and follow the online instructions from there.

*Google Toolbar* - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

*Trillian* or *Miranda-IM* - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read *this* article by Tony Klein.

Click *Here* for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "*Solved*".

Best wishes!


----------



## yingybaby (Nov 14, 2006)

i've deleted that BHO file..
and after you told me to use that avenger thing, i downloaded norton antivirus by google updater...look at the log below..=]
i don't think i'm going to download any of the tools coz after i downloaded norton, my computer started to get slower when i turn it on...i will download it if any of them can be faster than NOD32 or Norton...
but anyway... thz a lot 4 helping me with my computer..=]

Logfile of HijackThis v1.99.1
Scan saved at 23:00:15, on 27/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\NetLimiter 2 Pro\NLClient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: FlashGet - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\Program Files\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [CJIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\CHANGJIE\CINTLCFG.EXE /CJIMETIPSync
O4 - HKLM\..\Run: [PHIMETIPSYNC] C:\Program Files\Common Files\Microsoft Shared\IME\IMTC65\PHONETIC\TINTLCFG.EXE /PHIMETIPSync
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: & use FlashGet to download - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: & all use FlashGet download - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Foxy download - res://C:\Program Files\Foxy\Foxy.exe/download.htm
O8 - Extra context menu item: Foxy search - res://C:\Program Files\Foxy\Foxy.exe/search.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: reference data - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{926DE9AA-8575-4568-87F7-CA864E1A0A48}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA86600D-0523-4D5A-9B13-50E76E260F23}: NameServer = 205.188.146.145
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: AdobePDF - {D92D666A-0F7B-5892-A7E8-29340333F07E} - c:\program files\internet explorer\PLUGINS\nppdf.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Program Files\NetLimiter 2 Pro\nlsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


----------



## puterdude38 (Dec 1, 2006)

sweatpants46 said:


> Through all my methods, the two files I absolutely could not get rid of were C:\Windows\IEXPL0RE.exe (note the 0 instead of O) and C:\Windows\system32\aelupsvc32.dll.
> 
> First of all I got a lot of great help in this thread while I was getting frustrated trying to delete the aelupsvc32.dll file. I was finally successful in deleting the file after booting from my winxp system cd. I selected recovery mode which brought me to a command prompt. From the command prompt I was able to navigate to the windows\system32 folder and delete the aelupsvc32.dll.
> 
> ...


----------



## buglawton (Nov 24, 2006)

I got rid of my same named file exactly the same way (actually by renaming the aelupsvc32.dll file to xaelupsvc32x.dead rather than deleting it) - but then found that the Web Browser would no longer connect to the internet. Had to rename it back while I research an answer to that part.


----------



## puterdude38 (Dec 1, 2006)

buglawton said:


> I got rid of my same named file exactly the same way (actually by renaming the aelupsvc32.dll file to xaelupsvc32x.dead rather than deleting it) - but then found that the Web Browser would no longer connect to the internet. Had to rename it back while I research an answer to that part.


I also had the web browser connect problem after removing aelupsvc32.dll. I found that the lack of connectivity was due to DHCP not working properly. I went to control panel, system, device manager and removed my network adapter, shut down, restarted and allowed winxp to discover the device and reinstall the driver. I actually had to do that several times until finally DHCP worked properly again.

Hope this helps...


----------



## buglawton (Nov 24, 2006)

Glad that you mentioned that, a good heads-up!

I plan to try using Winsock Fix eg from http://www.snapfiles.com/get/winsockxpfix.html to fix the services if possible, it executes a command that is anyway available in XP SP2 (see http://windowsxp.mvps.org/winsock.htm) to repair the broken links in the winsock catalogue, but I think it is more user-friendly and handles making a backup of your Registry first.

If this works it is bound to be more comfortable thatn reinstalling the network adaptor. Anyone else travelled this road, let me know on this thread!


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

