Win 2K server Trojan(s)
Hello again!
I got help a week or two ago with a Trojan; now I have been asked to look at another, but this time on a Win2K server set-up.
I ran a Hijackthis log, which is absolutely huge, but I have attached it none-the-less.
The machine does not have AV on it
but I have run STINGER and removed a worm; AdAware and Spybot run and report clearing 200-odd references to IBIS toolbar, but without help from the ether I would have to wipe the system and re-build - not so easy with an older server and software.
Any suggestions will be very welcome!
Thanks .... Iain
I got help a week or two ago with a Trojan; now I have been asked to look at another, but this time on a Win2K server set-up.
I ran a Hijackthis log, which is absolutely huge, but I have attached it none-the-less.
The machine does not have AV on it
but I have run STINGER and removed a worm; AdAware and Spybot run and report clearing 200-odd references to IBIS toolbar, but without help from the ether I would have to wipe the system and re-build - not so easy with an older server and software.Any suggestions will be very welcome!
Thanks .... Iain
0
This discussion has been closed.
Comments
Download and run this tool.
http://www.spywareinfo.dk/download/mwav.exe
Once it's done please post the log from the scan and a new hijackthis log.
and many thanks for the reply from Buck_Eye Sam - very helpful. I took the advice and ran Escan, and got away with it - just. The machine was running 1926 processes, and Escan was managing to kill 4 processes a minute when it started, suggesting a long night. However, as the number running reduced the speed increased, so it completed in just under 3 hours.
23106 files were scanned, 1757 viruses found, 7 disinfected, 1720 deleted and 16 renamed. It reported 5 errors. The system was afterwards running only 19 processes!
I did a follow-up run where one more was found and fixed. The log is too big to attach - 3.4MB - but I could upload it to some web space I have if necessary.
I then ran HJT and the log for it is attached. CWshredder reports the removal of CWS.HiddenDll - no others found.
AdAware then cleaned out 16 objects; all IE files were deleted, and Spybot 1.3 found only DSO Exploit.
I am now in a MUCH better position, but I suspect I am not out of the woods yet - further advice will be very welcome. This part of Scotland like Ohio!
Iain
I looked again and see the name is correctly Buckeye_Sam
No wonder I cannot get computers right!
Logfile of HijackThis v1.99.1
Scan saved at 21:40:03, on 11/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ibs.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {61FC9252-97B4-4C41-B9CB-DA40DE5100D7} - C:\WINNT\System32\klpjh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [logon.exe] C:\WINNT\System32\logon.exe
O4 - HKLM\..\Run: [Ipi] C:\WINNT\Lfq.exe
O4 - HKLM\..\Run: [Aqu] C:\WINNT\System32\Ebu.exe
O4 - HKLM\..\Run: [Ldt] C:\WINNT\Dfj.exe
O4 - HKLM\..\Run: [Bnd] C:\WINNT\System32\Uun.exe
O4 - HKLM\..\Run: [Vug] C:\WINNT\Ikr.exe
O4 - HKLM\..\Run: [Mvh] C:\WINNT\System32\Ktg.exe
O4 - HKLM\..\Run: [Ohq] C:\WINNT\Sia.exe
O4 - HKLM\..\Run: [Rdd] C:\WINNT\System32\Uvi.exe
O4 - HKLM\..\Run: [Okp] C:\WINNT\Ceo.exe
O4 - HKLM\..\Run: [Mli] C:\WINNT\System32\Nrj.exe
O4 - HKLM\..\Run: [Uhh] C:\WINNT\System32\Jrp.exe
O4 - HKLM\..\Run: [Trv] C:\WINNT\System32\Dpp.exe
O4 - HKLM\..\Run: [Hbs] C:\WINNT\System32\Khj.exe
O4 - HKLM\..\Run: [Mkn] C:\WINNT\System32\Aoe.exe
O4 - HKLM\..\Run: [Pfd] C:\WINNT\System32\Tkc.exe
O4 - HKLM\..\Run: [Ato] C:\WINNT\Qif.exe
O4 - HKLM\..\Run: [Frd] C:\WINNT\System32\Jbm.exe
O4 - HKLM\..\Run: [Djl] C:\WINNT\Pjk.exe
O4 - HKLM\..\Run: [Fer] C:\WINNT\Aei.exe
O4 - HKLM\..\Run: [Fju] C:\WINNT\System32\Pcu.exe
O4 - HKLM\..\Run: [Bav] C:\WINNT\Dju.exe
O4 - HKLM\..\Run: [Bfs] C:\WINNT\Htu.exe
O4 - HKLM\..\Run: [Sgf] C:\WINNT\System32\Drn.exe
O4 - HKLM\..\Run: [Tok] C:\WINNT\System32\Iih.exe
O4 - HKLM\..\Run: [Dvp] C:\WINNT\System32\Ivq.exe
O4 - HKLM\..\Run: [Pvl] C:\WINNT\Fbh.exe
O4 - HKLM\..\Run: [Dub] C:\WINNT\Nna.exe
O4 - HKLM\..\Run: [Bug] C:\WINNT\Hru.exe
O4 - HKLM\..\Run: [Mqr] C:\WINNT\Jdc.exe
O4 - HKLM\..\Run: [Uuu] C:\WINNT\Iqt.exe
O4 - HKLM\..\Run: [Duo] C:\WINNT\Qdm.exe
O4 - HKLM\..\Run: [Jve] C:\WINNT\Jgr.exe
O4 - HKLM\..\Run: [Dhv] C:\WINNT\Tbl.exe
O4 - HKLM\..\Run: [Ngi] C:\WINNT\Uln.exe
O4 - HKLM\..\Run: [Vak] C:\WINNT\Ghf.exe
O4 - HKLM\..\Run: [Vkq] C:\WINNT\System32\Efo.exe
O4 - HKLM\..\Run: [Jui] C:\WINNT\System32\Mnc.exe
O4 - HKLM\..\Run: [Icb] C:\WINNT\System32\Oni.exe
O4 - HKLM\..\Run: [Vpm] C:\WINNT\Cng.exe
O4 - HKLM\..\Run: [Oic] C:\WINNT\Onb.exe
O4 - HKLM\..\Run: [Nas] C:\WINNT\Kvo.exe
O4 - HKLM\..\Run: [Fhr] C:\WINNT\Ial.exe
O4 - HKLM\..\Run: [Tnh] C:\WINNT\Gmt.exe
O4 - HKLM\..\Run: [Ulh] C:\WINNT\Cos.exe
O4 - HKLM\..\Run: [Emq] C:\WINNT\System32\Svi.exe
O4 - HKLM\..\Run: [Dqv] C:\WINNT\System32\Gsg.exe
O4 - HKLM\..\Run: [Bqn] C:\WINNT\System32\Dsn.exe
O4 - HKLM\..\Run: [Nau] C:\WINNT\Irh.exe
O4 - HKLM\..\Run: [Aiq] C:\WINNT\System32\Flb.exe
O4 - HKLM\..\Run: [Mqh] C:\WINNT\Rtu.exe
O4 - HKLM\..\Run: [Bii] C:\WINNT\Cob.exe
O4 - HKLM\..\Run: [Lgj] C:\WINNT\System32\Iun.exe
O4 - HKLM\..\Run: [Kje] C:\WINNT\Ftb.exe
O4 - HKLM\..\Run: [Trh] C:\WINNT\System32\Rle.exe
O4 - HKLM\..\Run: [Brb] C:\WINNT\Obr.exe
O4 - HKLM\..\Run: [Gki] C:\WINNT\System32\Vtt.exe
O4 - HKLM\..\Run: [Muc] C:\WINNT\System32\Gos.exe
O4 - HKLM\..\Run: [Lip] C:\WINNT\Hss.exe
O4 - HKLM\..\Run: [Inj] C:\WINNT\Iji.exe
O4 - HKLM\..\Run: [Aha] C:\WINNT\System32\Aiu.exe
O4 - HKLM\..\Run: [Ffi] C:\WINNT\System32\Moh.exe
O4 - HKLM\..\Run: [Aoc] C:\WINNT\Loq.exe
O4 - HKLM\..\Run: [Bps] C:\WINNT\System32\Ijl.exe
O4 - HKLM\..\Run: [Cve] C:\WINNT\Bnb.exe
O4 - HKLM\..\Run: [Akf] C:\WINNT\System32\Qlh.exe
O4 - HKLM\..\Run: [Nlf] C:\WINNT\System32\Vsa.exe
O4 - HKLM\..\Run: [Nvq] C:\WINNT\Ogn.exe
O4 - HKLM\..\Run: [Oig] C:\WINNT\Jqk.exe
O4 - HKLM\..\Run: [Fgt] C:\WINNT\System32\Bad.exe
O4 - HKLM\..\Run: [Neu] C:\WINNT\Jfi.exe
O4 - HKLM\..\Run: [Gek] C:\WINNT\System32\Uts.exe
O4 - HKLM\..\Run: [Jtp] C:\WINNT\Ncc.exe
O4 - HKLM\..\Run: [Qdo] C:\WINNT\Gpn.exe
O4 - HKLM\..\Run: [Cpk] C:\WINNT\Did.exe
O4 - HKLM\..\Run: [Qlg] C:\WINNT\System32\Afm.exe
O4 - HKLM\..\Run: [Vfm] C:\WINNT\System32\Mgb.exe
O4 - HKLM\..\Run: [Lfv] C:\WINNT\System32\Ofi.exe
O4 - HKLM\..\Run: [Bkm] C:\WINNT\Jge.exe
O4 - HKLM\..\Run: [Ibc] C:\WINNT\Mgn.exe
O4 - HKLM\..\Run: [Qlb] C:\WINNT\Eoe.exe
O4 - HKLM\..\Run: [Bba] C:\WINNT\System32\Qhj.exe
O4 - HKLM\..\Run: [Tma] C:\WINNT\System32\Dvo.exe
O4 - HKLM\..\Run: [Skg] C:\WINNT\Bdk.exe
O4 - HKLM\..\Run: [Drl] C:\WINNT\System32\Cgb.exe
O4 - HKLM\..\Run: [Msi] C:\WINNT\Ncm.exe
O4 - HKLM\..\Run: [Pfi] C:\WINNT\Sct.exe
O4 - HKLM\..\Run: [Qdd] C:\WINNT\Tvs.exe
O4 - HKLM\..\Run: [Ldu] C:\WINNT\System32\Mvm.exe
O4 - HKLM\..\Run: [Rbn] C:\WINNT\System32\Kgf.exe
O4 - HKLM\..\Run: [Gmp] C:\WINNT\System32\Rmt.exe
O4 - HKLM\..\Run: [Usn] C:\WINNT\Gqv.exe
O4 - HKLM\..\Run: [Uoa] C:\WINNT\Fjo.exe
O4 - HKLM\..\Run: [Uck] C:\WINNT\Ono.exe
O4 - HKLM\..\Run: [Nrj] C:\WINNT\System32\Ahh.exe
O4 - HKLM\..\Run: [Bmt] C:\WINNT\System32\Niv.exe
O4 - HKLM\..\Run: [Hnh] C:\WINNT\System32\Ilr.exe
O4 - HKLM\..\Run: [Gql] C:\WINNT\Opd.exe
O4 - HKLM\..\Run: [Alb] C:\WINNT\System32\Lig.exe
O4 - HKLM\..\Run: [Vod] C:\WINNT\Rnp.exe
O4 - HKLM\..\Run: [Ohh] C:\WINNT\System32\Sjm.exe
O4 - HKLM\..\Run: [Hoe] C:\WINNT\System32\Hnb.exe
O4 - HKLM\..\Run: [Jsb] C:\WINNT\System32\Gnu.exe
O4 - HKLM\..\Run: [Tcj] C:\WINNT\System32\Mjt.exe
O4 - HKLM\..\Run: [Noe] C:\WINNT\Nci.exe
O4 - HKLM\..\Run: [Nin] C:\WINNT\System32\Uoh.exe
O4 - HKLM\..\Run: [Kiu] C:\WINNT\System32\Jjq.exe
O4 - HKLM\..\Run: [Tlj] C:\WINNT\System32\Vcu.exe
O4 - HKLM\..\Run: [Eun] C:\WINNT\System32\Nti.exe
O4 - HKLM\..\Run: [Bio] C:\WINNT\System32\Rsm.exe
O4 - HKLM\..\Run: [Lat] C:\WINNT\Iuc.exe
O4 - HKLM\..\Run: [Sgg] C:\WINNT\Hho.exe
O4 - HKLM\..\Run: [Qod] C:\WINNT\System32\Vnj.exe
O4 - HKLM\..\Run: [Fmf] C:\WINNT\System32\Ofi.exe
O4 - HKLM\..\Run: [Aek] C:\WINNT\System32\Cvg.exe
O4 - HKLM\..\Run: [Ekk] C:\WINNT\System32\Lse.exe
O4 - HKLM\..\Run: [Cqe] C:\WINNT\Jum.exe
O4 - HKLM\..\Run: [Bkj] C:\WINNT\Qfu.exe
O4 - HKLM\..\Run: [Ubm] C:\WINNT\Fhn.exe
O4 - HKLM\..\Run: [Dhb] C:\WINNT\System32\Noh.exe
O4 - HKLM\..\Run: [Vjv] C:\WINNT\System32\Ebd.exe
O4 - HKLM\..\Run: [Bkf] C:\WINNT\Urb.exe
O4 - HKLM\..\Run: [Gkb] C:\WINNT\System32\Fpf.exe
O4 - HKLM\..\Run: [Lkb] C:\WINNT\Amm.exe
O4 - HKLM\..\Run: [Vlk] C:\WINNT\System32\Pdt.exe
O4 - HKLM\..\Run: [Hkg] C:\WINNT\Dot.exe
O4 - HKLM\..\Run: [Skm] C:\WINNT\System32\Sit.exe
O4 - HKLM\..\Run: [Rvq] C:\WINNT\Ohf.exe
O4 - HKLM\..\Run: [Nrf] C:\WINNT\System32\Mhs.exe
O4 - HKLM\..\Run: [Tva] C:\WINNT\Inp.exe
O4 - HKLM\..\Run: [Mfj] C:\WINNT\Hvr.exe
O4 - HKLM\..\Run: [Ilk] C:\WINNT\Ngu.exe
O4 - HKLM\..\Run: [Tbj] C:\WINNT\Fom.exe
O4 - HKLM\..\Run: [Scg] C:\WINNT\System32\Mhr.exe
O4 - HKLM\..\Run: [Iev] C:\WINNT\System32\Kkv.exe
O4 - HKLM\..\Run: [Ueo] C:\WINNT\Unn.exe
O4 - HKLM\..\Run: [Sop] C:\WINNT\Ifb.exe
O4 - HKLM\..\Run: [Acc] C:\WINNT\System32\Llu.exe
O4 - HKLM\..\Run: [Hjd] C:\WINNT\System32\Tek.exe
O4 - HKLM\..\Run: [Hva] C:\WINNT\System32\Sun.exe
O4 - HKLM\..\Run: [Dqa] C:\WINNT\Qid.exe
O4 - HKLM\..\Run: [Bct] C:\WINNT\Tij.exe
O4 - HKLM\..\Run: [Frg] C:\WINNT\System32\Mbd.exe
O4 - HKLM\..\Run: [Niq] C:\WINNT\System32\Ngg.exe
O4 - HKLM\..\Run: [Olk] C:\WINNT\Nte.exe
O4 - HKLM\..\Run: [Icl] C:\WINNT\System32\Bkq.exe
O4 - HKLM\..\Run: [Bsa] C:\WINNT\System32\Vtd.exe
O4 - HKLM\..\Run: [Mrc] C:\WINNT\System32\Api.exe
O4 - HKLM\..\Run: [Ulj] C:\WINNT\System32\Vno.exe
O4 - HKLM\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKLM\..\Run: [Kvm] C:\WINNT\End.exe
O4 - HKLM\..\Run: [Ejp] C:\WINNT\System32\Cuk.exe
O4 - HKLM\..\Run: [Lih] C:\WINNT\System32\Bqa.exe
O4 - HKLM\..\Run: [Acf] C:\WINNT\Rri.exe
O4 - HKLM\..\Run: [Ivi] C:\WINNT\Ljg.exe
O4 - HKLM\..\Run: [Sag] C:\WINNT\Gqs.exe
O4 - HKLM\..\Run: [Ujk] C:\WINNT\System32\Kmv.exe
O4 - HKLM\..\Run: [Bpt] C:\WINNT\Qka.exe
O4 - HKLM\..\Run: [Jmp] C:\WINNT\System32\Lsa.exe
O4 - HKLM\..\Run: [Qbu] C:\WINNT\Crp.exe
O4 - HKLM\..\Run: [Ail] C:\WINNT\System32\Lgm.exe
O4 - HKLM\..\Run: [Fgv] C:\WINNT\System32\Ugm.exe
O4 - HKLM\..\Run: [Olr] C:\WINNT\Kbk.exe
O4 - HKLM\..\Run: [Nkg] C:\WINNT\Rac.exe
O4 - HKLM\..\Run: [Jrg] C:\WINNT\System32\Uug.exe
O4 - HKLM\..\Run: [Qnj] C:\WINNT\Tos.exe
O4 - HKLM\..\Run: [Isi] C:\WINNT\System32\Bsm.exe
O4 - HKLM\..\Run: [Ddk] C:\WINNT\System32\Qbb.exe
O4 - HKLM\..\Run: [Aco] C:\WINNT\System32\Mul.exe
O4 - HKLM\..\Run: [Dkj] C:\WINNT\Ppt.exe
O4 - HKLM\..\Run: [Cpl] C:\WINNT\Ioi.exe
O4 - HKLM\..\Run: [Mla] C:\WINNT\System32\Mlj.exe
O4 - HKLM\..\Run: [Rdm] C:\WINNT\System32\Nep.exe
O4 - HKLM\..\Run: [Vlc] C:\WINNT\Smd.exe
O4 - HKLM\..\Run: [Fkb] C:\WINNT\System32\Bui.exe
O4 - HKLM\..\Run: [Boq] C:\WINNT\Mkv.exe
O4 - HKLM\..\Run: [Kpl] C:\WINNT\System32\Nnn.exe
O4 - HKLM\..\Run: [Llb] C:\WINNT\Oaq.exe
O4 - HKLM\..\Run: [Ilp] C:\WINNT\System32\Kjj.exe
O4 - HKLM\..\Run: [Bif] C:\WINNT\Jqp.exe
O4 - HKLM\..\Run: [Btv] C:\WINNT\System32\Dlj.exe
O4 - HKLM\..\Run: [Ajj] C:\WINNT\System32\Llk.exe
O4 - HKLM\..\Run: [Ebm] C:\WINNT\System32\Htd.exe
O4 - HKLM\..\Run: [Qpc] C:\WINNT\Tlr.exe
O4 - HKLM\..\Run: [Gof] C:\WINNT\System32\Aql.exe
O4 - HKLM\..\Run: [Dns] C:\WINNT\System32\Qfl.exe
O4 - HKLM\..\Run: [Qda] C:\WINNT\System32\Nqe.exe
O4 - HKLM\..\Run: [Jhl] C:\WINNT\System32\Vlv.exe
O4 - HKLM\..\Run: [Gbj] C:\WINNT\System32\Gcp.exe
O4 - HKLM\..\Run: [Iik] C:\WINNT\System32\Jem.exe
O4 - HKLM\..\Run: [Nmh] C:\WINNT\System32\Cva.exe
O4 - HKLM\..\Run: [Tcq] C:\WINNT\System32\Rhj.exe
O4 - HKLM\..\Run: [Tmv] C:\WINNT\System32\Ial.exe
O4 - HKLM\..\Run: [Afa] C:\WINNT\System32\Khu.exe
O4 - HKLM\..\Run: [Mcg] C:\WINNT\System32\Rln.exe
O4 - HKLM\..\Run: [Mhh] C:\WINNT\System32\Oen.exe
O4 - HKLM\..\Run: [Bni] C:\WINNT\Okn.exe
O4 - HKLM\..\Run: [Idg] C:\WINNT\System32\Ger.exe
O4 - HKLM\..\Run: [Ehi] C:\WINNT\System32\Anh.exe
O4 - HKLM\..\Run: [Cso] C:\WINNT\System32\Jir.exe
O4 - HKLM\..\Run: [Hvi] C:\WINNT\Smr.exe
O4 - HKLM\..\Run: [Nkc] C:\WINNT\System32\Dcm.exe
O4 - HKLM\..\Run: [Uiu] C:\WINNT\System32\Tfm.exe
O4 - HKLM\..\Run: [Bks] C:\WINNT\System32\Hro.exe
O4 - HKLM\..\Run: [Nok] C:\WINNT\System32\Vmg.exe
O4 - HKLM\..\Run: [Qkd] C:\WINNT\System32\Mms.exe
O4 - HKLM\..\Run: [Efn] C:\WINNT\Kjt.exe
O4 - HKLM\..\Run: [Cqs] C:\WINNT\Enu.exe
O4 - HKLM\..\Run: [Pol] C:\WINNT\Eto.exe
O4 - HKLM\..\Run: [Mqp] C:\WINNT\System32\Foc.exe
O4 - HKLM\..\Run: [Env] C:\WINNT\System32\Toc.exe
O4 - HKLM\..\Run: [Jnl] C:\WINNT\System32\Vnl.exe
O4 - HKLM\..\Run: [Vqn] C:\WINNT\System32\Vqm.exe
O4 - HKLM\..\Run: [Sfp] C:\WINNT\System32\Udl.exe
O4 - HKLM\..\Run: [Pde] C:\WINNT\Miv.exe
O4 - HKLM\..\Run: [Lks] C:\WINNT\System32\Uvd.exe
O4 - HKLM\..\Run: [Bcq] C:\WINNT\System32\Ldn.exe
O4 - HKLM\..\Run: [Ums] C:\WINNT\Tbh.exe
O4 - HKLM\..\Run: [Huv] C:\WINNT\System32\Ckg.exe
O4 - HKLM\..\Run: [Phs] C:\WINNT\System32\Bgb.exe
O4 - HKLM\..\Run: [Vpb] C:\WINNT\Nig.exe
O4 - HKLM\..\Run: [Qjt] C:\WINNT\System32\Ndb.exe
O4 - HKLM\..\Run: [Npk] C:\WINNT\Dme.exe
O4 - HKLM\..\Run: [Bpn] C:\WINNT\Ckp.exe
O4 - HKLM\..\Run: [Gtl] C:\WINNT\System32\Mda.exe
O4 - HKLM\..\Run: [Cpb] C:\WINNT\Aln.exe
O4 - HKLM\..\Run: [Lko] C:\WINNT\System32\Lbq.exe
O4 - HKLM\..\Run: [Lui] C:\WINNT\System32\Jgf.exe
O4 - HKLM\..\Run: [Fqo] C:\WINNT\System32\Kra.exe
O4 - HKLM\..\Run: [Nai] C:\WINNT\Ocj.exe
O4 - HKLM\..\Run: [Ods] C:\WINNT\System32\Sbn.exe
O4 - HKLM\..\Run: [Soe] C:\WINNT\Jbu.exe
O4 - HKLM\..\Run: [Jba] C:\WINNT\Rmv.exe
O4 - HKLM\..\Run: [Mdt] C:\WINNT\Rcu.exe
O4 - HKLM\..\Run: [Tbc] C:\WINNT\Lbk.exe
O4 - HKLM\..\Run: [Uao] C:\WINNT\Egi.exe
O4 - HKLM\..\Run: [Knd] C:\WINNT\Bge.exe
O4 - HKLM\..\Run: [Vuu] C:\WINNT\Oth.exe
O4 - HKLM\..\Run: [Nct] C:\WINNT\Jku.exe
O4 - HKLM\..\Run: [Ime] C:\WINNT\Ill.exe
O4 - HKLM\..\Run: [Qfd] C:\WINNT\Kij.exe
O4 - HKLM\..\Run: [Bae] C:\WINNT\Ais.exe
O4 - HKLM\..\Run: [Vnt] C:\WINNT\Tda.exe
O4 - HKLM\..\Run: [Dmr] C:\WINNT\Oes.exe
O4 - HKLM\..\Run: [Pdh] C:\WINNT\Ata.exe
O4 - HKLM\..\Run: [Ksn] C:\WINNT\System32\Ebt.exe
O4 - HKLM\..\Run: [Vkl] C:\WINNT\System32\Ukr.exe
O4 - HKLM\..\Run: [Quc] C:\WINNT\Oru.exe
O4 - HKLM\..\Run: [Tqt] C:\WINNT\Cno.exe
O4 - HKLM\..\Run: [Osh] C:\WINNT\Nho.exe
O4 - HKLM\..\Run: [Bkl] C:\WINNT\Ual.exe
O4 - HKLM\..\Run: [Otl] C:\WINNT\System32\Ngg.exe
O4 - HKLM\..\Run: [Irq] C:\WINNT\Ikb.exe
O4 - HKLM\..\Run: [Bib] C:\WINNT\Qbv.exe
O4 - HKLM\..\Run: [Oou] C:\WINNT\System32\Qdq.exe
O4 - HKLM\..\Run: [Quk] C:\WINNT\Sdm.exe
O4 - HKLM\..\Run: [Ptv] C:\WINNT\Igl.exe
O4 - HKLM\..\Run: [Dms] C:\WINNT\Qrl.exe
O4 - HKLM\..\Run: [Ubr] C:\WINNT\System32\Icv.exe
O4 - HKLM\..\Run: [Pbj] C:\WINNT\System32\Ekq.exe
O4 - HKLM\..\Run: [Jfi] C:\WINNT\System32\Grk.exe
O4 - HKLM\..\Run: [Phl] C:\WINNT\Utv.exe
O4 - HKLM\..\Run: [Rjb] C:\WINNT\System32\Kru.exe
O4 - HKLM\..\Run: [Neg] C:\WINNT\System32\Dsb.exe
O4 - HKLM\..\Run: [Neo] C:\WINNT\Khq.exe
O4 - HKLM\..\Run: [Hao] C:\WINNT\System32\Ape.exe
O4 - HKLM\..\Run: [Osk] C:\WINNT\Vuu.exe
O4 - HKLM\..\Run: [Hbq] C:\WINNT\System32\Fvg.exe
O4 - HKLM\..\Run: [Csi] C:\WINNT\Qqt.exe
O4 - HKLM\..\Run: [Kmc] C:\WINNT\System32\Mir.exe
O4 - HKLM\..\Run: [Ljj] C:\WINNT\System32\Uih.exe
O4 - HKLM\..\Run: [Btr] C:\WINNT\System32\Ugi.exe
O4 - HKLM\..\Run: [Flf] C:\WINNT\System32\Lqq.exe
O4 - HKLM\..\Run: [Ubp] C:\WINNT\System32\Fiq.exe
O4 - HKLM\..\Run: [Cbb] C:\WINNT\Fat.exe
O4 - HKLM\..\Run: [Pvm] C:\WINNT\System32\Tpg.exe
O4 - HKLM\..\Run: [Gnn] C:\WINNT\Prv.exe
O4 - HKLM\..\Run: [Ghb] C:\WINNT\Ond.exe
O4 - HKLM\..\Run: [Mif] C:\WINNT\Fib.exe
O4 - HKLM\..\Run: [Ivg] C:\WINNT\Cuv.exe
O4 - HKLM\..\Run: [Kbf] C:\WINNT\System32\Kno.exe
O4 - HKLM\..\Run: [Otd] C:\WINNT\Orb.exe
O4 - HKLM\..\Run: [Eat] C:\WINNT\System32\Cug.exe
O4 - HKLM\..\Run: [Las] C:\WINNT\System32\Aos.exe
O4 - HKLM\..\Run: [Mrp] C:\WINNT\Fmf.exe
O4 - HKLM\..\Run: [Jir] C:\WINNT\System32\Llu.exe
O4 - HKLM\..\Run: [Sfq] C:\WINNT\Ukt.exe
O4 - HKLM\..\Run: [Mtu] C:\WINNT\System32\Bfk.exe
O4 - HKLM\..\Run: [Ima] C:\WINNT\Gjk.exe
O4 - HKLM\..\Run: [Vom] C:\WINNT\Nvu.exe
O4 - HKLM\..\Run: [Hkb] C:\WINNT\Ika.exe
O4 - HKLM\..\Run: [Jkf] C:\WINNT\Csc.exe
O4 - HKLM\..\Run: [Lgm] C:\WINNT\System32\Fqe.exe
O4 - HKLM\..\Run: [Bjn] C:\WINNT\System32\Ojp.exe
O4 - HKLM\..\Run: [Kom] C:\WINNT\Nbf.exe
O4 - HKLM\..\Run: [Uki] C:\WINNT\System32\Fhu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINNT\System32\Pae.exe
O4 - HKLM\..\Run: [Hce] C:\WINNT\System32\Lsv.exe
O4 - HKLM\..\Run: [Ute] C:\WINNT\System32\Qeu.exe
O4 - HKLM\..\Run: [Gmt] C:\WINNT\Nvp.exe
O4 - HKLM\..\Run: [Ovc] C:\WINNT\System32\Sgk.exe
O4 - HKLM\..\Run: [Epe] C:\WINNT\System32\Dpo.exe
O4 - HKLM\..\Run: [Skd] C:\WINNT\Lkj.exe
O4 - HKLM\..\Run: [Oeu] C:\WINNT\System32\Gdu.exe
O4 - HKLM\..\Run: [Ukb] C:\WINNT\System32\Dsd.exe
O4 - HKLM\..\Run: [Iku] C:\WINNT\System32\Mrp.exe
O4 - HKLM\..\Run: [Okn] C:\WINNT\System32\Rjl.exe
O4 - HKLM\..\Run: [Dkl] C:\WINNT\System32\Fsl.exe
O4 - HKLM\..\Run: [Vsk] C:\WINNT\Mtc.exe
O4 - HKLM\..\Run: [Kpb] C:\WINNT\Rtn.exe
O4 - HKLM\..\Run: [Qul] C:\WINNT\System32\Dcs.exe
O4 - HKLM\..\Run: [Ndf] C:\WINNT\System32\Srf.exe
O4 - HKLM\..\Run: [Ner] C:\WINNT\Oll.exe
O4 - HKLM\..\Run: [Sqs] C:\WINNT\System32\Iqh.exe
O4 - HKLM\..\Run: [Geh] C:\WINNT\System32\Uvl.exe
O4 - HKLM\..\Run: [Ejv] C:\WINNT\System32\Ovt.exe
O4 - HKLM\..\Run: [Psl] C:\WINNT\Qov.exe
O4 - HKLM\..\Run: [Pjq] C:\WINNT\System32\Bre.exe
O4 - HKLM\..\Run: [Eum] C:\WINNT\Tkf.exe
O4 - HKLM\..\Run: [Voh] C:\WINNT\Omc.exe
O4 - HKLM\..\Run: [Vre] C:\WINNT\System32\Njp.exe
O4 - HKLM\..\Run: [Ouu] C:\WINNT\Ami.exe
O4 - HKLM\..\Run: [Uju] C:\WINNT\System32\Ues.exe
O4 - HKLM\..\Run: [Fpa] C:\WINNT\Uvr.exe
O4 - HKLM\..\Run: [Tlm] C:\WINNT\Pfa.exe
O4 - HKLM\..\Run: [Qfi] C:\WINNT\System32\Stu.exe
O4 - HKLM\..\Run: [Vju] C:\WINNT\Dof.exe
O4 - HKLM\..\Run: [Mob] C:\WINNT\System32\Tqt.exe
O4 - HKLM\..\Run: [Osv] C:\WINNT\Urr.exe
O4 - HKLM\..\Run: [Mmf] C:\WINNT\System32\Qgg.exe
O4 - HKLM\..\Run: [Gvs] C:\WINNT\Okq.exe
O4 - HKLM\..\Run: [Vov] C:\WINNT\Nas.exe
O4 - HKLM\..\Run: [Enb] C:\WINNT\Pde.exe
O4 - HKLM\..\Run: [Hmj] C:\WINNT\Asp.exe
O4 - HKLM\..\Run: [Uln] C:\WINNT\System32\Nkf.exe
O4 - HKLM\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKLM\..\Run: [Ecs] C:\WINNT\Jir.exe
O4 - HKLM\..\Run: [Fbh] C:\WINNT\Ftu.exe
O4 - HKLM\..\Run: [Lep] C:\WINNT\Gio.exe
O4 - HKLM\..\Run: [Tov] C:\WINNT\System32\Tnt.exe
O4 - HKLM\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
O4 - HKLM\..\Run: [Eov] C:\WINNT\Jsv.exe
O4 - HKLM\..\Run: [Bnm] C:\WINNT\System32\Uls.exe
O4 - HKLM\..\Run: [Cmk] C:\WINNT\Blg.exe
O4 - HKLM\..\Run: [Sfo] C:\WINNT\System32\Vnl.exe
O4 - HKLM\..\Run: [Urp] C:\WINNT\System32\Tkc.exe
O4 - HKLM\..\Run: [Pcg] C:\WINNT\System32\Cdb.exe
O4 - HKLM\..\Run: [Hkj] C:\WINNT\System32\Dgg.exe
O4 - HKLM\..\Run: [Rrd] C:\WINNT\System32\Ovu.exe
O4 - HKLM\..\Run: [Njh] C:\WINNT\Tmu.exe
O4 - HKLM\..\Run: [Lfi] C:\WINNT\Kaq.exe
O4 - HKLM\..\Run: [Fop] C:\WINNT\Ieb.exe
O4 - HKLM\..\Run: [Kru] C:\WINNT\Ish.exe
O4 - HKLM\..\Run: [Sle] C:\WINNT\Lcs.exe
O4 - HKLM\..\Run: [Hse] C:\WINNT\Bot.exe
O4 - HKLM\..\Run: [Ekc] C:\WINNT\System32\Jsc.exe
O4 - HKLM\..\Run: [Vdp] C:\WINNT\Nfe.exe
O4 - HKLM\..\Run: [Jen] C:\WINNT\System32\Dvo.exe
O4 - HKLM\..\Run: [Nlm] C:\WINNT\Jgl.exe
O4 - HKLM\..\Run: [Ice] C:\WINNT\Gfu.exe
O4 - HKLM\..\Run: [Ous] C:\WINNT\System32\Oev.exe
O4 - HKLM\..\Run: [Qki] C:\WINNT\Igl.exe
O4 - HKLM\..\Run: [Tas] C:\WINNT\System32\Ghq.exe
O4 - HKLM\..\Run: [Uja] C:\WINNT\System32\Jrv.exe
O4 - HKLM\..\Run: [Lag] C:\WINNT\Ikh.exe
O4 - HKLM\..\Run: [Ajh] C:\WINNT\Vjn.exe
O4 - HKLM\..\Run: [Bqo] C:\WINNT\System32\Vkt.exe
O4 - HKLM\..\Run: [Bnc] C:\WINNT\System32\Jfg.exe
O4 - HKLM\..\Run: [Djv] C:\WINNT\Rtv.exe
O4 - HKLM\..\Run: [Bmo] C:\WINNT\System32\Lip.exe
O4 - HKLM\..\Run: [Kdo] C:\WINNT\System32\Ffm.exe
O4 - HKLM\..\Run: [Bbr] C:\WINNT\Dsc.exe
O4 - HKLM\..\Run: [Uqa] C:\WINNT\Idc.exe
O4 - HKLM\..\Run: [Nrp] C:\WINNT\System32\Ntb.exe
O4 - HKLM\..\Run: [Nfm] C:\WINNT\Joo.exe
O4 - HKLM\..\Run: [Kgu] C:\WINNT\System32\Ahu.exe
O4 - HKLM\..\Run: [Bht] C:\WINNT\System32\Nvc.exe
O4 - HKLM\..\Run: [Sgb] C:\WINNT\Dmu.exe
O4 - HKLM\..\Run: [Gli] C:\WINNT\System32\Pef.exe
O4 - HKLM\..\Run: [Atv] C:\WINNT\Fvv.exe
O4 - HKLM\..\Run: [Nqt] C:\WINNT\System32\Iik.exe
O4 - HKLM\..\Run: [Hco] C:\WINNT\Dno.exe
O4 - HKLM\..\Run: [Isd] C:\WINNT\Gqi.exe
O4 - HKLM\..\Run: [Huk] C:\WINNT\System32\Bjo.exe
O4 - HKLM\..\Run: [Smf] C:\WINNT\Alj.exe
O4 - HKLM\..\Run: [Dbo] C:\WINNT\Tss.exe
O4 - HKLM\..\Run: [Lds] C:\WINNT\Muv.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKLM\..\Run: [Nhq] C:\WINNT\System32\Boq.exe
O4 - HKLM\..\Run: [Aso] C:\WINNT\Ovu.exe
O4 - HKLM\..\Run: [Aau] C:\WINNT\Gec.exe
O4 - HKLM\..\Run: [Ver] C:\WINNT\Vtg.exe
O4 - HKLM\..\Run: [Hte] C:\WINNT\System32\Dim.exe
O4 - HKLM\..\Run: [Khr] C:\WINNT\System32\Mef.exe
O4 - HKLM\..\Run: [Upl] C:\WINNT\System32\Afa.exe
O4 - HKLM\..\Run: [Oev] C:\WINNT\System32\Nii.exe
O4 - HKLM\..\Run: [Gkd] C:\WINNT\Bnn.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - HKCU\..\Run: [e005ROj5V] hpdac.exe
O4 - HKCU\..\Run: [Blb] C:\WINNT\System32\Fdq.exe
O4 - HKCU\..\Run: [Mdr] C:\WINNT\Rvt.exe
O4 - HKCU\..\Run: [Mqo] C:\WINNT\System32\Sgm.exe
O4 - HKCU\..\Run: [Aur] C:\WINNT\Vid.exe
O4 - HKCU\..\Run: [Mpb] C:\WINNT\System32\Pmp.exe
O4 - HKCU\..\Run: [Spd] C:\WINNT\System32\Qve.exe
O4 - HKCU\..\Run: [Qab] C:\WINNT\System32\Dmc.exe
O4 - HKCU\..\Run: [Itg] C:\WINNT\System32\Dsb.exe
O4 - HKCU\..\Run: [Dnv] C:\WINNT\Svh.exe
O4 - HKCU\..\Run: [Frs] C:\WINNT\System32\Jgb.exe
O4 - HKCU\..\Run: [Voe] C:\WINNT\Qat.exe
O4 - HKCU\..\Run: [Vml] C:\WINNT\Jri.exe
O4 - HKCU\..\Run: [Crg] C:\WINNT\System32\Thu.exe
O4 - HKCU\..\Run: [Cva] C:\WINNT\System32\Lmr.exe
O4 - HKCU\..\Run: [Hlu] C:\WINNT\System32\Lhb.exe
O4 - HKCU\..\Run: [Cmb] C:\WINNT\Iuc.exe
O4 - HKCU\..\Run: [Rjv] C:\WINNT\Akh.exe
O4 - HKCU\..\Run: [Ldb] C:\WINNT\System32\Grv.exe
O4 - HKCU\..\Run: [Uru] C:\WINNT\System32\Lnr.exe
O4 - HKCU\..\Run: [Oeg] C:\WINNT\Eqe.exe
O4 - HKCU\..\Run: [Kek] C:\WINNT\System32\Mgc.exe
O4 - HKCU\..\Run: [Lsq] C:\WINNT\Teb.exe
O4 - HKCU\..\Run: [Pme] C:\WINNT\System32\Fto.exe
O4 - HKCU\..\Run: [Tff] C:\WINNT\Npl.exe
O4 - HKCU\..\Run: [Dru] C:\WINNT\Gvj.exe
O4 - HKCU\..\Run: [Kmt] C:\WINNT\System32\Vfi.exe
O4 - HKCU\..\Run: [Atj] C:\WINNT\Hmh.exe
O4 - HKCU\..\Run: [Iia] C:\WINNT\System32\Aql.exe
O4 - HKCU\..\Run: [Dbu] C:\WINNT\System32\Uqp.exe
O4 - HKCU\..\Run: [Jkl] C:\WINNT\System32\Gop.exe
O4 - HKCU\..\Run: [Vll] C:\WINNT\System32\Lur.exe
O4 - HKCU\..\Run: [Ukm] C:\WINNT\System32\Orl.exe
O4 - HKCU\..\Run: [Ojv] C:\WINNT\Lpr.exe
O4 - HKCU\..\Run: [Him] C:\WINNT\System32\Fts.exe
O4 - HKCU\..\Run: [Qfn] C:\WINNT\System32\Gnb.exe
O4 - HKCU\..\Run: [Tsj] C:\WINNT\System32\Dav.exe
O4 - HKCU\..\Run: [Bmg] C:\WINNT\System32\Sbd.exe
O4 - HKCU\..\Run: [Hhk] C:\WINNT\Rum.exe
O4 - HKCU\..\Run: [Hom] C:\WINNT\Dgo.exe
O4 - HKCU\..\Run: [Kro] C:\WINNT\System32\Gjq.exe
O4 - HKCU\..\Run: [Rtt] C:\WINNT\System32\Ofr.exe
O4 - HKCU\..\Run: [Lgr] C:\WINNT\Bvd.exe
O4 - HKCU\..\Run: [Bru] C:\WINNT\Rpt.exe
O4 - HKCU\..\Run: [Bit] C:\WINNT\System32\Euu.exe
O4 - HKCU\..\Run: [Klk] C:\WINNT\Gsc.exe
O4 - HKCU\..\Run: [Pui] C:\WINNT\System32\Sio.exe
O4 - HKCU\..\Run: [Cvd] C:\WINNT\Qee.exe
O4 - HKCU\..\Run: [Vje] C:\WINNT\Fsf.exe
O4 - HKCU\..\Run: [Kqf] C:\WINNT\System32\Fop.exe
O4 - HKCU\..\Run: [Pjd] C:\WINNT\System32\Brp.exe
O4 - HKCU\..\Run: [Dfe] C:\WINNT\Vnp.exe
O4 - HKCU\..\Run: [Irt] C:\WINNT\System32\Atf.exe
O4 - HKCU\..\Run: [Gdq] C:\WINNT\System32\Poo.exe
O4 - HKCU\..\Run: [Ulo] C:\WINNT\System32\Jqm.exe
O4 - HKCU\..\Run: [Vkd] C:\WINNT\Akt.exe
O4 - HKCU\..\Run: [Quf] C:\WINNT\System32\Aqt.exe
O4 - HKCU\..\Run: [Rig] C:\WINNT\Jro.exe
O4 - HKCU\..\Run: [Jok] C:\WINNT\Rqb.exe
O4 - HKCU\..\Run: [Tog] C:\WINNT\System32\Upd.exe
O4 - HKCU\..\Run: [Lbh] C:\WINNT\System32\Mas.exe
O4 - HKCU\..\Run: [Mhu] C:\WINNT\Nmg.exe
O4 - HKCU\..\Run: [Cou] C:\WINNT\Rmc.exe
O4 - HKCU\..\Run: [Dce] C:\WINNT\Uui.exe
O4 - HKCU\..\Run: [Pfm] C:\WINNT\System32\Ekn.exe
O4 - HKCU\..\Run: [Cds] C:\WINNT\Gnh.exe
O4 - HKCU\..\Run: [Rcn] C:\WINNT\Ocb.exe
O4 - HKCU\..\Run: [Cta] C:\WINNT\System32\Ovs.exe
O4 - HKCU\..\Run: [Uss] C:\WINNT\System32\Vhj.exe
O4 - HKCU\..\Run: [Qsl] C:\WINNT\System32\Pkn.exe
O4 - HKCU\..\Run: [Cfq] C:\WINNT\System32\Rdl.exe
O4 - HKCU\..\Run: [Ksb] C:\WINNT\Gqa.exe
O4 - HKCU\..\Run: [Mjf] C:\WINNT\Aqr.exe
O4 - HKCU\..\Run: [Bsr] C:\WINNT\System32\Qrg.exe
O4 - HKCU\..\Run: [Gsj] C:\WINNT\System32\Fep.exe
O4 - HKCU\..\Run: [Lmi] C:\WINNT\Pch.exe
O4 - HKCU\..\Run: [Plv] C:\WINNT\System32\Bgr.exe
O4 - HKCU\..\Run: [Noi] C:\WINNT\System32\Tnm.exe
O4 - HKCU\..\Run: [Euj] C:\WINNT\System32\Rbu.exe
O4 - HKCU\..\Run: [Mid] C:\WINNT\System32\Vui.exe
O4 - HKCU\..\Run: [Oav] C:\WINNT\Jsh.exe
O4 - HKCU\..\Run: [Rhq] C:\WINNT\System32\Usl.exe
O4 - HKCU\..\Run: [Vht] C:\WINNT\System32\Mru.exe
O4 - HKCU\..\Run: [Mer] C:\WINNT\System32\Sul.exe
O4 - HKCU\..\Run: [Vms] C:\WINNT\System32\Vdf.exe
O4 - HKCU\..\Run: [Mdq] C:\WINNT\System32\Tne.exe
O4 - HKCU\..\Run: [Rbg] C:\WINNT\Qfc.exe
O4 - HKCU\..\Run: [Qmm] C:\WINNT\Nhu.exe
O4 - HKCU\..\Run: [Inv] C:\WINNT\Oio.exe
O4 - HKCU\..\Run: [Obj] C:\WINNT\System32\Hbd.exe
O4 - HKCU\..\Run: [Fsu] C:\WINNT\System32\Hsd.exe
O4 - HKCU\..\Run: [Ent] C:\WINNT\Qfl.exe
O4 - HKCU\..\Run: [Mpe] C:\WINNT\Ouj.exe
O4 - HKCU\..\Run: [Tvt] C:\WINNT\Vvp.exe
O4 - HKCU\..\Run: [Cpi] C:\WINNT\Hda.exe
O4 - HKCU\..\Run: [Tev] C:\WINNT\Cuu.exe
O4 - HKCU\..\Run: [Mqq] C:\WINNT\Olb.exe
O4 - HKCU\..\Run: [Rlo] C:\WINNT\Gfn.exe
O4 - HKCU\..\Run: [Fmc] C:\WINNT\Edp.exe
O4 - HKCU\..\Run: [Mhp] C:\WINNT\Ons.exe
O4 - HKCU\..\Run: [Jac] C:\WINNT\Kkt.exe
O4 - HKCU\..\Run: [Lro] C:\WINNT\System32\Pol.exe
O4 - HKCU\..\Run: [Erv] C:\WINNT\Loo.exe
O4 - HKCU\..\Run: [Hiv] C:\WINNT\Qsu.exe
O4 - HKCU\..\Run: [Iie] C:\WINNT\Qlr.exe
O4 - HKCU\..\Run: [Leb] C:\WINNT\System32\Ggs.exe
O4 - HKCU\..\Run: [Aev] C:\WINNT\System32\Tek.exe
O4 - HKCU\..\Run: [Lpk] C:\WINNT\System32\Trc.exe
O4 - HKCU\..\Run: [Bio] C:\WINNT\System32\Rsm.exe
O4 - HKCU\..\Run: [Lat] C:\WINNT\Iuc.exe
O4 - HKCU\..\Run: [Sgg] C:\WINNT\Hho.exe
O4 - HKCU\..\Run: [Qod] C:\WINNT\System32\Vnj.exe
O4 - HKCU\..\Run: [Fmf] C:\WINNT\System32\Ofi.exe
O4 - HKCU\..\Run: [Aek] C:\WINNT\System32\Cvg.exe
O4 - HKCU\..\Run: [Ekk] C:\WINNT\System32\Lse.exe
O4 - HKCU\..\Run: [Cqe] C:\WINNT\Jum.exe
O4 - HKCU\..\Run: [Bkj] C:\WINNT\Qfu.exe
O4 - HKCU\..\Run: [Ubm] C:\WINNT\Fhn.exe
O4 - HKCU\..\Run: [Dhb] C:\WINNT\System32\Noh.exe
O4 - HKCU\..\Run: [Vjv] C:\WINNT\System32\Ebd.exe
O4 - HKCU\..\Run: [Bkf] C:\WINNT\Urb.exe
O4 - HKCU\..\Run: [Gkb] C:\WINNT\System32\Fpf.exe
O4 - HKCU\..\Run: [Lkb] C:\WINNT\Amm.exe
O4 - HKCU\..\Run: [Vlk] C:\WINNT\System32\Pdt.exe
O4 - HKCU\..\Run: [Hkg] C:\WINNT\Dot.exe
O4 - HKCU\..\Run: [Skm] C:\WINNT\System32\Sit.exe
O4 - HKCU\..\Run: [Rvq] C:\WINNT\Ohf.exe
O4 - HKCU\..\Run: [Nrf] C:\WINNT\System32\Mhs.exe
O4 - HKCU\..\Run: [Tva] C:\WINNT\Inp.exe
O4 - HKCU\..\Run: [Mfj] C:\WINNT\Hvr.exe
O4 - HKCU\..\Run: [Ilk] C:\WINNT\Ngu.exe
O4 - HKCU\..\Run: [Tbj] C:\WINNT\Fom.exe
O4 - HKCU\..\Run: [Scg] C:\WINNT\System32\Mhr.exe
O4 - HKCU\..\Run: [Iev] C:\WINNT\System32\Kkv.exe
O4 - HKCU\..\Run: [Ueo] C:\WINNT\Unn.exe
O4 - HKCU\..\Run: [Sop] C:\WINNT\Ifb.exe
O4 - HKCU\..\Run: [Acc] C:\WINNT\System32\Llu.exe
O4 - HKCU\..\Run: [Hjd] C:\WINNT\System32\Tek.exe
O4 - HKCU\..\Run: [Hva] C:\WINNT\System32\Sun.exe
O4 - HKCU\..\Run: [Dqa] C:\WINNT\Qid.exe
O4 - HKCU\..\Run: [Bct] C:\WINNT\Tij.exe
O4 - HKCU\..\Run: [Frg] C:\WINNT\System32\Mbd.exe
O4 - HKCU\..\Run: [Niq] C:\WINNT\System32\Ngg.exe
O4 - HKCU\..\Run: [Olk] C:\WINNT\Nte.exe
O4 - HKCU\..\Run: [Icl] C:\WINNT\System32\Bkq.exe
O4 - HKCU\..\Run: [Bsa] C:\WINNT\System32\Vtd.exe
O4 - HKCU\..\Run: [Mrc] C:\WINNT\System32\Api.exe
O4 - HKCU\..\Run: [Ulj] C:\WINNT\System32\Vno.exe
O4 - HKCU\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKCU\..\Run: [Kvm] C:\WINNT\End.exe
O4 - HKCU\..\Run: [Ejp] C:\WINNT\System32\Cuk.exe
O4 - HKCU\..\Run: [Lih] C:\WINNT\System32\Bqa.exe
O4 - HKCU\..\Run: [Acf] C:\WINNT\Rri.exe
O4 - HKCU\..\Run: [Ivi] C:\WINNT\Ljg.exe
O4 - HKCU\..\Run: [Sag] C:\WINNT\Gqs.exe
O4 - HKCU\..\Run: [Ujk] C:\WINNT\System32\Kmv.exe
O4 - HKCU\..\Run: [Bpt] C:\WINNT\Qka.exe
O4 - HKCU\..\Run: [Jmp] C:\WINNT\System32\Lsa.exe
O4 - HKCU\..\Run: [Qbu] C:\WINNT\Crp.exe
O4 - HKCU\..\Run: [Ail] C:\WINNT\System32\Lgm.exe
O4 - HKCU\..\Run: [Fgv] C:\WINNT\System32\Ugm.exe
O4 - HKCU\..\Run: [Olr] C:\WINNT\Kbk.exe
O4 - HKCU\..\Run: [Nkg] C:\WINNT\Rac.exe
O4 - HKCU\..\Run: [Jrg] C:\WINNT\System32\Uug.exe
O4 - HKCU\..\Run: [Qnj] C:\WINNT\Tos.exe
O4 - HKCU\..\Run: [Isi] C:\WINNT\System32\Bsm.exe
O4 - HKCU\..\Run: [Ddk] C:\WINNT\System32\Qbb.exe
O4 - HKCU\..\Run: [Aco] C:\WINNT\System32\Mul.exe
O4 - HKCU\..\Run: [Dkj] C:\WINNT\Ppt.exe
O4 - HKCU\..\Run: [Cpl] C:\WINNT\Ioi.exe
O4 - HKCU\..\Run: [Mla] C:\WINNT\System32\Mlj.exe
O4 - HKCU\..\Run: [Rdm] C:\WINNT\System32\Nep.exe
O4 - HKCU\..\Run: [Vlc] C:\WINNT\Smd.exe
O4 - HKCU\..\Run: [Fkb] C:\WINNT\System32\Bui.exe
O4 - HKCU\..\Run: [Boq] C:\WINNT\Mkv.exe
O4 - HKCU\..\Run: [Kpl] C:\WINNT\System32\Nnn.exe
O4 - HKCU\..\Run: [Llb] C:\WINNT\Oaq.exe
O4 - HKCU\..\Run: [Ilp] C:\WINNT\System32\Kjj.exe
O4 - HKCU\..\Run: [Bif] C:\WINNT\Jqp.exe
O4 - HKCU\..\Run: [Btv] C:\WINNT\System32\Dlj.exe
O4 - HKCU\..\Run: [Ajj] C:\WINNT\System32\Llk.exe
O4 - HKCU\..\Run: [Ebm] C:\WINNT\System32\Htd.exe
O4 - HKCU\..\Run: [Qpc] C:\WINNT\Tlr.exe
O4 - HKCU\..\Run: [Gof] C:\WINNT\System32\Aql.exe
O4 - HKCU\..\Run: [Dns] C:\WINNT\System32\Qfl.exe
O4 - HKCU\..\Run: [Qda] C:\WINNT\System32\Nqe.exe
O4 - HKCU\..\Run: [Jhl] C:\WINNT\System32\Vlv.exe
O4 - HKCU\..\Run: [Gbj] C:\WINNT\System32\Gcp.exe
O4 - HKCU\..\Run: [Iik] C:\WINNT\System32\Jem.exe
O4 - HKCU\..\Run: [Nmh] C:\WINNT\System32\Cva.exe
O4 - HKCU\..\Run: [Tcq] C:\WINNT\System32\Rhj.exe
O4 - HKCU\..\Run: [Tmv] C:\WINNT\System32\Ial.exe
O4 - HKCU\..\Run: [Afa] C:\WINNT\System32\Khu.exe
O4 - HKCU\..\Run: [Mcg] C:\WINNT\System32\Rln.exe
O4 - HKCU\..\Run: [Mhh] C:\WINNT\System32\Oen.exe
O4 - HKCU\..\Run: [Bni] C:\WINNT\Okn.exe
O4 - HKCU\..\Run: [Idg] C:\WINNT\System32\Ger.exe
O4 - HKCU\..\Run: [Ehi] C:\WINNT\System32\Anh.exe
O4 - HKCU\..\Run: [Cso] C:\WINNT\System32\Jir.exe
O4 - HKCU\..\Run: [Hvi] C:\WINNT\Smr.exe
O4 - HKCU\..\Run: [Nkc] C:\WINNT\System32\Dcm.exe
O4 - HKCU\..\Run: [Uiu] C:\WINNT\System32\Tfm.exe
O4 - HKCU\..\Run: [Bks] C:\WINNT\System32\Hro.exe
O4 - HKCU\..\Run: [Nok] C:\WINNT\System32\Vmg.exe
O4 - HKCU\..\Run: [Qkd] C:\WINNT\System32\Mms.exe
O4 - HKCU\..\Run: [Efn] C:\WINNT\Kjt.exe
O4 - HKCU\..\Run: [Cqs] C:\WINNT\Enu.exe
O4 - HKCU\..\Run: [Pol] C:\WINNT\Eto.exe
O4 - HKCU\..\Run: [Mqp] C:\WINNT\System32\Foc.exe
O4 - HKCU\..\Run: [Env] C:\WINNT\System32\Toc.exe
O4 - HKCU\..\Run: [Jnl] C:\WINNT\System32\Vnl.exe
O4 - HKCU\..\Run: [Vqn] C:\WINNT\System32\Vqm.exe
O4 - HKCU\..\Run: [Sfp] C:\WINNT\System32\Udl.exe
O4 - HKCU\..\Run: [Pde] C:\WINNT\Miv.exe
O4 - HKCU\..\Run: [Lks] C:\WINNT\System32\Uvd.exe
O4 - HKCU\..\Run: [Bcq] C:\WINNT\System32\Ldn.exe
O4 - HKCU\..\Run: [Ums] C:\WINNT\Tbh.exe
O4 - HKCU\..\Run: [Huv] C:\WINNT\System32\Ckg.exe
O4 - HKCU\..\Run: [Phs] C:\WINNT\System32\Bgb.exe
O4 - HKCU\..\Run: [Vpb] C:\WINNT\Nig.exe
O4 - HKCU\..\Run: [Qjt] C:\WINNT\System32\Ndb.exe
O4 - HKCU\..\Run: [Npk] C:\WINNT\Dme.exe
O4 - HKCU\..\Run: [Bpn] C:\WINNT\Ckp.exe
O4 - HKCU\..\Run: [Gtl] C:\WINNT\System32\Mda.exe
O4 - HKCU\..\Run: [Cpb] C:\WINNT\Aln.exe
O4 - HKCU\..\Run: [Lko] C:\WINNT\System32\Lbq.exe
O4 - HKCU\..\Run: [Lui] C:\WINNT\System32\Jgf.exe
O4 - HKCU\..\Run: [Fqo] C:\WINNT\System32\Kra.exe
O4 - HKCU\..\Run: [Nai] C:\WINNT\Ocj.exe
O4 - HKCU\..\Run: [Ods] C:\WINNT\System32\Sbn.exe
O4 - HKCU\..\Run: [Soe] C:\WINNT\Jbu.exe
O4 - HKCU\..\Run: [Jba] C:\WINNT\Rmv.exe
O4 - HKCU\..\Run: [Mdt] C:\WINNT\Rcu.exe
O4 - HKCU\..\Run: [Tbc] C:\WINNT\Lbk.exe
O4 - HKCU\..\Run: [Uao] C:\WINNT\Egi.exe
O4 - HKCU\..\Run: [Knd] C:\WINNT\Bge.exe
O4 - HKCU\..\Run: [Vuu] C:\WINNT\Oth.exe
O4 - HKCU\..\Run: [Nct] C:\WINNT\Jku.exe
O4 - HKCU\..\Run: [Ime] C:\WINNT\Ill.exe
O4 - HKCU\..\Run: [Qfd] C:\WINNT\Kij.exe
O4 - HKCU\..\Run: [Bae] C:\WINNT\Ais.exe
O4 - HKCU\..\Run: [Vnt] C:\WINNT\Tda.exe
O4 - HKCU\..\Run: [Dmr] C:\WINNT\Oes.exe
O4 - HKCU\..\Run: [Pdh] C:\WINNT\Ata.exe
O4 - HKCU\..\Run: [Ksn] C:\WINNT\System32\Ebt.exe
O4 - HKCU\..\Run: [Vkl] C:\WINNT\System32\Ukr.exe
O4 - HKCU\..\Run: [Quc] C:\WINNT\Oru.exe
O4 - HKCU\..\Run: [Tqt] C:\WINNT\Cno.exe
O4 - HKCU\..\Run: [Osh] C:\WINNT\Nho.exe
O4 - HKCU\..\Run: [Bkl] C:\WINNT\Ual.exe
O4 - HKCU\..\Run: [Otl] C:\WINNT\System32\Ngg.exe
O4 - HKCU\..\Run: [Irq] C:\WINNT\Ikb.exe
O4 - HKCU\..\Run: [Bib] C:\WINNT\Qbv.exe
O4 - HKCU\..\Run: [Oou] C:\WINNT\System32\Qdq.exe
O4 - HKCU\..\Run: [Quk] C:\WINNT\Sdm.exe
O4 - HKCU\..\Run: [Ptv] C:\WINNT\Igl.exe
O4 - HKCU\..\Run: [Dms] C:\WINNT\Qrl.exe
O4 - HKCU\..\Run: [Ubr] C:\WINNT\System32\Icv.exe
O4 - HKCU\..\Run: [Pbj] C:\WINNT\System32\Ekq.exe
O4 - HKCU\..\Run: [Jfi] C:\WINNT\System32\Grk.exe
O4 - HKCU\..\Run: [Phl] C:\WINNT\Utv.exe
O4 - HKCU\..\Run: [Rjb] C:\WINNT\System32\Kru.exe
O4 - HKCU\..\Run: [Neg] C:\WINNT\System32\Dsb.exe
O4 - HKCU\..\Run: [Neo] C:\WINNT\Khq.exe
O4 - HKCU\..\Run: [Hao] C:\WINNT\System32\Ape.exe
O4 - HKCU\..\Run: [Osk] C:\WINNT\Vuu.exe
O4 - HKCU\..\Run: [Hbq] C:\WINNT\System32\Fvg.exe
O4 - HKCU\..\Run: [Csi] C:\WINNT\Qqt.exe
O4 - HKCU\..\Run: [Kmc] C:\WINNT\System32\Mir.exe
O4 - HKCU\..\Run: [Ljj] C:\WINNT\System32\Uih.exe
O4 - HKCU\..\Run: [Btr] C:\WINNT\System32\Ugi.exe
O4 - HKCU\..\Run: [Flf] C:\WINNT\System32\Lqq.exe
O4 - HKCU\..\Run: [Ubp] C:\WINNT\System32\Fiq.exe
O4 - HKCU\..\Run: [Cbb] C:\WINNT\Fat.exe
O4 - HKCU\..\Run: [Pvm] C:\WINNT\System32\Tpg.exe
O4 - HKCU\..\Run: [Gnn] C:\WINNT\Prv.exe
O4 - HKCU\..\Run: [Ghb] C:\WINNT\Ond.exe
O4 - HKCU\..\Run: [Mif] C:\WINNT\Fib.exe
O4 - HKCU\..\Run: [Ivg] C:\WINNT\Cuv.exe
O4 - HKCU\..\Run: [Kbf] C:\WINNT\System32\Kno.exe
O4 - HKCU\..\Run: [Otd] C:\WINNT\Orb.exe
O4 - HKCU\..\Run: [Eat] C:\WINNT\System32\Cug.exe
O4 - HKCU\..\Run: [Las] C:\WINNT\System32\Aos.exe
O4 - HKCU\..\Run: [Mrp] C:\WINNT\Fmf.exe
O4 - HKCU\..\Run: [Jir] C:\WINNT\System32\Llu.exe
O4 - HKCU\..\Run: [Sfq] C:\WINNT\Ukt.exe
O4 - HKCU\..\Run: [Mtu] C:\WINNT\System32\Bfk.exe
O4 - HKCU\..\Run: [Ima] C:\WINNT\Gjk.exe
O4 - HKCU\..\Run: [Vom] C:\WINNT\Nvu.exe
O4 - HKCU\..\Run: [Hkb] C:\WINNT\Ika.exe
O4 - HKCU\..\Run: [Jkf] C:\WINNT\Csc.exe
O4 - HKCU\..\Run: [Lgm] C:\WINNT\System32\Fqe.exe
O4 - HKCU\..\Run: [Bjn] C:\WINNT\System32\Ojp.exe
O4 - HKCU\..\Run: [Kom] C:\WINNT\Nbf.exe
O4 - HKCU\..\Run: [Uki] C:\WINNT\System32\Fhu.exe
O4 - HKCU\..\Run: [Hcl] C:\WINNT\System32\Pae.exe
O4 - HKCU\..\Run: [Hce] C:\WINNT\System32\Lsv.exe
O4 - HKCU\..\Run: [Ute] C:\WINNT\System32\Qeu.exe
O4 - HKCU\..\Run: [Gmt] C:\WINNT\Nvp.exe
O4 - HKCU\..\Run: [Ovc] C:\WINNT\System32\Sgk.exe
O4 - HKCU\..\Run: [Epe] C:\WINNT\System32\Dpo.exe
O4 - HKCU\..\Run: [Skd] C:\WINNT\Lkj.exe
O4 - HKCU\..\Run: [Oeu] C:\WINNT\System32\Gdu.exe
O4 - HKCU\..\Run: [Ukb] C:\WINNT\System32\Dsd.exe
O4 - HKCU\..\Run: [Iku] C:\WINNT\System32\Mrp.exe
O4 - HKCU\..\Run: [Okn] C:\WINNT\System32\Rjl.exe
O4 - HKCU\..\Run: [Dkl] C:\WINNT\System32\Fsl.exe
O4 - HKCU\..\Run: [Vsk] C:\WINNT\Mtc.exe
O4 - HKCU\..\Run: [Kpb] C:\WINNT\Rtn.exe
O4 - HKCU\..\Run: [Qul] C:\WINNT\System32\Dcs.exe
O4 - HKCU\..\Run: [Ndf] C:\WINNT\System32\Srf.exe
O4 - HKCU\..\Run: [Ner] C:\WINNT\Oll.exe
O4 - HKCU\..\Run: [Sqs] C:\WINNT\System32\Iqh.exe
O4 - HKCU\..\Run: [Geh] C:\WINNT\System32\Uvl.exe
O4 - HKCU\..\Run: [Ejv] C:\WINNT\System32\Ovt.exe
O4 - HKCU\..\Run: [Psl] C:\WINNT\Qov.exe
O4 - HKCU\..\Run: [Pjq] C:\WINNT\System32\Bre.exe
O4 - HKCU\..\Run: [Eum] C:\WINNT\Tkf.exe
O4 - HKCU\..\Run: [Voh] C:\WINNT\Omc.exe
O4 - HKCU\..\Run: [Vre] C:\WINNT\System32\Njp.exe
O4 - HKCU\..\Run: [Ouu] C:\WINNT\Ami.exe
O4 - HKCU\..\Run: [Uju] C:\WINNT\System32\Ues.exe
O4 - HKCU\..\Run: [Fpa] C:\WINNT\Uvr.exe
O4 - HKCU\..\Run: [Tlm] C:\WINNT\Pfa.exe
O4 - HKCU\..\Run: [Qfi] C:\WINNT\System32\Stu.exe
O4 - HKCU\..\Run: [Vju] C:\WINNT\Dof.exe
O4 - HKCU\..\Run: [Mob] C:\WINNT\System32\Tqt.exe
O4 - HKCU\..\Run: [Osv] C:\WINNT\Urr.exe
O4 - HKCU\..\Run: [Mmf] C:\WINNT\System32\Qgg.exe
O4 - HKCU\..\Run: [Gvs] C:\WINNT\Okq.exe
O4 - HKCU\..\Run: [Vov] C:\WINNT\Nas.exe
O4 - HKCU\..\Run: [Enb] C:\WINNT\Pde.exe
O4 - HKCU\..\Run: [Hmj] C:\WINNT\Asp.exe
O4 - HKCU\..\Run: [Uln] C:\WINNT\System32\Nkf.exe
O4 - HKCU\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKCU\..\Run: [Ecs] C:\WINNT\Jir.exe
O4 - HKCU\..\Run: [Fbh] C:\WINNT\Ftu.exe
O4 - HKCU\..\Run: [Lep] C:\WINNT\Gio.exe
O4 - HKCU\..\Run: [Tov] C:\WINNT\System32\Tnt.exe
O4 - HKCU\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
O4 - HKCU\..\Run: [Eov] C:\WINNT\Jsv.exe
O4 - HKCU\..\Run: [Bnm] C:\WINNT\System32\Uls.exe
O4 - HKCU\..\Run: [Cmk] C:\WINNT\Blg.exe
O4 - HKCU\..\Run: [Sfo] C:\WINNT\System32\Vnl.exe
O4 - HKCU\..\Run: [Urp] C:\WINNT\System32\Tkc.exe
O4 - HKCU\..\Run: [Pcg] C:\WINNT\System32\Cdb.exe
O4 - HKCU\..\Run: [Hkj] C:\WINNT\System32\Dgg.exe
O4 - HKCU\..\Run: [Rrd] C:\WINNT\System32\Ovu.exe
O4 - HKCU\..\Run: [Njh] C:\WINNT\Tmu.exe
O4 - HKCU\..\Run: [Lfi] C:\WINNT\Kaq.exe
O4 - HKCU\..\Run: [Fop] C:\WINNT\Ieb.exe
O4 - HKCU\..\Run: [Kru] C:\WINNT\Ish.exe
O4 - HKCU\..\Run: [Pka] C:\WINNT\System32\Ehn.exe
O4 - HKCU\..\Run: [Qlr] C:\WINNT\Lfj.exe
O4 - HKCU\..\Run: [Ubc] C:\WINNT\System32\Jbk.exe
O4 - HKCU\..\Run: [Nic] C:\WINNT\Orp.exe
O4 - HKCU\..\Run: [Djs] C:\WINNT\Apg.exe
O4 - HKCU\..\Run: [Ofp] C:\WINNT\Rbi.exe
O4 - HKCU\..\Run: [Ldv] C:\WINNT\Jop.exe
O4 - HKCU\..\Run: [Buf] C:\WINNT\Nsu.exe
O4 - HKCU\..\Run: [Tpr] C:\WINNT\Kbm.exe
O4 - HKCU\..\Run: [Qbd] C:\WINNT\System32\Jul.exe
O4 - HKCU\..\Run: [Djq] C:\WINNT\System32\Iis.exe
O4 - HKCU\..\Run: [Cok] C:\WINNT\System32\Puc.exe
O4 - HKCU\..\Run: [Qpd] C:\WINNT\Nok.exe
O4 - HKCU\..\Run: [Jhh] C:\WINNT\Luo.exe
O4 - HKCU\..\Run: [Mtv] C:\WINNT\System32\Lvn.exe
O4 - HKCU\..\Run: [Cft] C:\WINNT\System32\Jkg.exe
O4 - HKCU\..\Run: [Una] C:\WINNT\System32\Kja.exe
O4 - HKCU\..\Run: [Hdv] C:\WINNT\Gah.exe
O4 - HKCU\..\Run: [Tgd] C:\WINNT\System32\Oae.exe
O4 - HKCU\..\Run: [Vrj] C:\WINNT\Duj.exe
O4 - HKCU\..\Run: [Cfj] C:\WINNT\Fan.exe
O4 - HKCU\..\Run: [Kia] C:\WINNT\Vsd.exe
O4 - HKCU\..\Run: [Okd] C:\WINNT\Sbj.exe
O4 - HKCU\..\Run: [Vgc] C:\WINNT\System32\Pse.exe
O4 - HKCU\..\Run: [Pcj] C:\WINNT\Uvp.exe
O4 - HKCU\..\Run: [Pel] C:\WINNT\System32\Qfs.exe
O4 - HKCU\..\Run: [Hdn] C:\WINNT\Csd.exe
O4 - HKCU\..\Run: [Ftj] C:\WINNT\System32\Svo.exe
O4 - HKCU\..\Run: [Fdh] C:\WINNT\System32\Fek.exe
O4 - HKCU\..\Run: [Jbp] C:\WINNT\Dlb.exe
O4 - HKCU\..\Run: [Kto] C:\WINNT\Scn.exe
O4 - HKCU\..\Run: [Omq] C:\WINNT\System32\Npv.exe
O4 - HKCU\..\Run: [Qis] C:\WINNT\Tbi.exe
O4 - HKCU\..\Run: [Kqd] C:\WINNT\System32\Vco.exe
O4 - HKCU\..\Run: [Nhq] C:\WINNT\System32\Boq.exe
O4 - HKCU\..\Run: [Aso] C:\WINNT\Ovu.exe
O4 - HKCU\..\Run: [Aau] C:\WINNT\Gec.exe
O4 - HKCU\..\Run: [Ver] C:\WINNT\Vtg.exe
O4 - HKCU\..\Run: [Hte] C:\WINNT\System32\Dim.exe
O4 - HKCU\..\Run: [Khr] C:\WINNT\System32\Mef.exe
O4 - HKCU\..\Run: [Upl] C:\WINNT\System32\Afa.exe
O4 - HKCU\..\Run: [Oev] C:\WINNT\System32\Nii.exe
O4 - HKCU\..\Run: [Gkd] C:\WINNT\Bnn.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O18 - Filter: text/html - {4D1C625B-7F97-4F0B-9FF3-BC88936CA137} - C:\WINNT\System32\klpjh.dll
O18 - Filter: text/plain - {4D1C625B-7F97-4F0B-9FF3-BC88936CA137} - C:\WINNT\System32\klpjh.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINNT\zeta.exe (file missing)
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O4 - HKLM\..\Run: [Ipi] C:\WINNT\Lfq.exe
O4 - HKLM\..\Run: [Aqu] C:\WINNT\System32\Ebu.exe
O4 - HKLM\..\Run: [Ldt] C:\WINNT\Dfj.exe
O4 - HKLM\..\Run: [Bnd] C:\WINNT\System32\Uun.exe
O4 - HKLM\..\Run: [Vug] C:\WINNT\Ikr.exe
O4 - HKLM\..\Run: [Mvh] C:\WINNT\System32\Ktg.exe
O4 - HKLM\..\Run: [Ohq] C:\WINNT\Sia.exe
O4 - HKLM\..\Run: [Rdd] C:\WINNT\System32\Uvi.exe
O4 - HKLM\..\Run: [Okp] C:\WINNT\Ceo.exe
O4 - HKLM\..\Run: [Mli] C:\WINNT\System32\Nrj.exe
O4 - HKLM\..\Run: [Uhh] C:\WINNT\System32\Jrp.exe
O4 - HKLM\..\Run: [Trv] C:\WINNT\System32\Dpp.exe
O4 - HKLM\..\Run: [Hbs] C:\WINNT\System32\Khj.exe
O4 - HKLM\..\Run: [Mkn] C:\WINNT\System32\Aoe.exe
O4 - HKLM\..\Run: [Pfd] C:\WINNT\System32\Tkc.exe
O4 - HKLM\..\Run: [Ato] C:\WINNT\Qif.exe
O4 - HKLM\..\Run: [Frd] C:\WINNT\System32\Jbm.exe
O4 - HKLM\..\Run: [Djl] C:\WINNT\Pjk.exe
O4 - HKLM\..\Run: [Fer] C:\WINNT\Aei.exe
O4 - HKLM\..\Run: [Fju] C:\WINNT\System32\Pcu.exe
O4 - HKLM\..\Run: [Bav] C:\WINNT\Dju.exe
O4 - HKLM\..\Run: [Bfs] C:\WINNT\Htu.exe
O4 - HKLM\..\Run: [Sgf] C:\WINNT\System32\Drn.exe
O4 - HKLM\..\Run: [Tok] C:\WINNT\System32\Iih.exe
O4 - HKLM\..\Run: [Dvp] C:\WINNT\System32\Ivq.exe
O4 - HKLM\..\Run: [Pvl] C:\WINNT\Fbh.exe
O4 - HKLM\..\Run: [Dub] C:\WINNT\Nna.exe
O4 - HKLM\..\Run: [Bug] C:\WINNT\Hru.exe
O4 - HKLM\..\Run: [Mqr] C:\WINNT\Jdc.exe
O4 - HKLM\..\Run: [Uuu] C:\WINNT\Iqt.exe
O4 - HKLM\..\Run: [Duo] C:\WINNT\Qdm.exe
O4 - HKLM\..\Run: [Jve] C:\WINNT\Jgr.exe
O4 - HKLM\..\Run: [Dhv] C:\WINNT\Tbl.exe
O4 - HKLM\..\Run: [Ngi] C:\WINNT\Uln.exe
O4 - HKLM\..\Run: [Vak] C:\WINNT\Ghf.exe
O4 - HKLM\..\Run: [Vkq] C:\WINNT\System32\Efo.exe
O4 - HKLM\..\Run: [Jui] C:\WINNT\System32\Mnc.exe
O4 - HKLM\..\Run: [Icb] C:\WINNT\System32\Oni.exe
O4 - HKLM\..\Run: [Vpm] C:\WINNT\Cng.exe
O4 - HKLM\..\Run: [Oic] C:\WINNT\Onb.exe
O4 - HKLM\..\Run: [Nas] C:\WINNT\Kvo.exe
O4 - HKLM\..\Run: [Fhr] C:\WINNT\Ial.exe
O4 - HKLM\..\Run: [Tnh] C:\WINNT\Gmt.exe
O4 - HKLM\..\Run: [Ulh] C:\WINNT\Cos.exe
O4 - HKLM\..\Run: [Emq] C:\WINNT\System32\Svi.exe
O4 - HKLM\..\Run: [Dqv] C:\WINNT\System32\Gsg.exe
O4 - HKLM\..\Run: [Bqn] C:\WINNT\System32\Dsn.exe
O4 - HKLM\..\Run: [Nau] C:\WINNT\Irh.exe
O4 - HKLM\..\Run: [Aiq] C:\WINNT\System32\Flb.exe
O4 - HKLM\..\Run: [Mqh] C:\WINNT\Rtu.exe
O4 - HKLM\..\Run: [Bii] C:\WINNT\Cob.exe
O4 - HKLM\..\Run: [Lgj] C:\WINNT\System32\Iun.exe
O4 - HKLM\..\Run: [Kje] C:\WINNT\Ftb.exe
O4 - HKLM\..\Run: [Trh] C:\WINNT\System32\Rle.exe
O4 - HKLM\..\Run: [Brb] C:\WINNT\Obr.exe
O4 - HKLM\..\Run: [Gki] C:\WINNT\System32\Vtt.exe
O4 - HKLM\..\Run: [Muc] C:\WINNT\System32\Gos.exe
O4 - HKLM\..\Run: [Lip] C:\WINNT\Hss.exe
O4 - HKLM\..\Run: [Inj] C:\WINNT\Iji.exe
O4 - HKLM\..\Run: [Aha] C:\WINNT\System32\Aiu.exe
O4 - HKLM\..\Run: [Ffi] C:\WINNT\System32\Moh.exe
O4 - HKLM\..\Run: [Aoc] C:\WINNT\Loq.exe
O4 - HKLM\..\Run: [Bps] C:\WINNT\System32\Ijl.exe
O4 - HKLM\..\Run: [Cve] C:\WINNT\Bnb.exe
O4 - HKLM\..\Run: [Akf] C:\WINNT\System32\Qlh.exe
O4 - HKLM\..\Run: [Nlf] C:\WINNT\System32\Vsa.exe
O4 - HKLM\..\Run: [Nvq] C:\WINNT\Ogn.exe
O4 - HKLM\..\Run: [Oig] C:\WINNT\Jqk.exe
O4 - HKLM\..\Run: [Fgt] C:\WINNT\System32\Bad.exe
O4 - HKLM\..\Run: [Neu] C:\WINNT\Jfi.exe
O4 - HKLM\..\Run: [Gek] C:\WINNT\System32\Uts.exe
O4 - HKLM\..\Run: [Jtp] C:\WINNT\Ncc.exe
O4 - HKLM\..\Run: [Qdo] C:\WINNT\Gpn.exe
O4 - HKLM\..\Run: [Cpk] C:\WINNT\Did.exe
O4 - HKLM\..\Run: [Qlg] C:\WINNT\System32\Afm.exe
O4 - HKLM\..\Run: [Vfm] C:\WINNT\System32\Mgb.exe
O4 - HKLM\..\Run: [Lfv] C:\WINNT\System32\Ofi.exe
O4 - HKLM\..\Run: [Bkm] C:\WINNT\Jge.exe
O4 - HKLM\..\Run: [Ibc] C:\WINNT\Mgn.exe
O4 - HKLM\..\Run: [Qlb] C:\WINNT\Eoe.exe
O4 - HKLM\..\Run: [Bba] C:\WINNT\System32\Qhj.exe
O4 - HKLM\..\Run: [Tma] C:\WINNT\System32\Dvo.exe
O4 - HKLM\..\Run: [Skg] C:\WINNT\Bdk.exe
O4 - HKLM\..\Run: [Drl] C:\WINNT\System32\Cgb.exe
O4 - HKLM\..\Run: [Msi] C:\WINNT\Ncm.exe
O4 - HKLM\..\Run: [Pfi] C:\WINNT\Sct.exe
O4 - HKLM\..\Run: [Qdd] C:\WINNT\Tvs.exe
O4 - HKLM\..\Run: [Ldu] C:\WINNT\System32\Mvm.exe
O4 - HKLM\..\Run: [Rbn] C:\WINNT\System32\Kgf.exe
O4 - HKLM\..\Run: [Gmp] C:\WINNT\System32\Rmt.exe
O4 - HKLM\..\Run: [Usn] C:\WINNT\Gqv.exe
O4 - HKLM\..\Run: [Uoa] C:\WINNT\Fjo.exe
O4 - HKLM\..\Run: [Uck] C:\WINNT\Ono.exe
O4 - HKLM\..\Run: [Nrj] C:\WINNT\System32\Ahh.exe
O4 - HKLM\..\Run: [Bmt] C:\WINNT\System32\Niv.exe
O4 - HKLM\..\Run: [Hnh] C:\WINNT\System32\Ilr.exe
O4 - HKLM\..\Run: [Gql] C:\WINNT\Opd.exe
O4 - HKLM\..\Run: [Alb] C:\WINNT\System32\Lig.exe
O4 - HKLM\..\Run: [Vod] C:\WINNT\Rnp.exe
O4 - HKLM\..\Run: [Ohh] C:\WINNT\System32\Sjm.exe
O4 - HKLM\..\Run: [Hoe] C:\WINNT\System32\Hnb.exe
O4 - HKLM\..\Run: [Jsb] C:\WINNT\System32\Gnu.exe
O4 - HKLM\..\Run: [Tcj] C:\WINNT\System32\Mjt.exe
O4 - HKLM\..\Run: [Noe] C:\WINNT\Nci.exe
O4 - HKLM\..\Run: [Nin] C:\WINNT\System32\Uoh.exe
O4 - HKLM\..\Run: [Kiu] C:\WINNT\System32\Jjq.exe
O4 - HKLM\..\Run: [Tlj] C:\WINNT\System32\Vcu.exe
O4 - HKLM\..\Run: [Eun] C:\WINNT\System32\Nti.exe
O4 - HKLM\..\Run: [Bio] C:\WINNT\System32\Rsm.exe
O4 - HKLM\..\Run: [Lat] C:\WINNT\Iuc.exe
O4 - HKLM\..\Run: [Sgg] C:\WINNT\Hho.exe
O4 - HKLM\..\Run: [Qod] C:\WINNT\System32\Vnj.exe
O4 - HKLM\..\Run: [Fmf] C:\WINNT\System32\Ofi.exe
O4 - HKLM\..\Run: [Aek] C:\WINNT\System32\Cvg.exe
O4 - HKLM\..\Run: [Ekk] C:\WINNT\System32\Lse.exe
O4 - HKLM\..\Run: [Cqe] C:\WINNT\Jum.exe
O4 - HKLM\..\Run: [Bkj] C:\WINNT\Qfu.exe
O4 - HKLM\..\Run: [Ubm] C:\WINNT\Fhn.exe
O4 - HKLM\..\Run: [Dhb] C:\WINNT\System32\Noh.exe
O4 - HKLM\..\Run: [Vjv] C:\WINNT\System32\Ebd.exe
O4 - HKLM\..\Run: [Bkf] C:\WINNT\Urb.exe
O4 - HKLM\..\Run: [Gkb] C:\WINNT\System32\Fpf.exe
O4 - HKLM\..\Run: [Lkb] C:\WINNT\Amm.exe
O4 - HKLM\..\Run: [Vlk] C:\WINNT\System32\Pdt.exe
O4 - HKLM\..\Run: [Hkg] C:\WINNT\Dot.exe
O4 - HKLM\..\Run: [Skm] C:\WINNT\System32\Sit.exe
O4 - HKLM\..\Run: [Rvq] C:\WINNT\Ohf.exe
O4 - HKLM\..\Run: [Nrf] C:\WINNT\System32\Mhs.exe
O4 - HKLM\..\Run: [Tva] C:\WINNT\Inp.exe
O4 - HKLM\..\Run: [Mfj] C:\WINNT\Hvr.exe
O4 - HKLM\..\Run: [Ilk] C:\WINNT\Ngu.exe
O4 - HKLM\..\Run: [Tbj] C:\WINNT\Fom.exe
O4 - HKLM\..\Run: [Scg] C:\WINNT\System32\Mhr.exe
O4 - HKLM\..\Run: [Iev] C:\WINNT\System32\Kkv.exe
O4 - HKLM\..\Run: [Ueo] C:\WINNT\Unn.exe
O4 - HKLM\..\Run: [Sop] C:\WINNT\Ifb.exe
O4 - HKLM\..\Run: [Acc] C:\WINNT\System32\Llu.exe
O4 - HKLM\..\Run: [Hjd] C:\WINNT\System32\Tek.exe
O4 - HKLM\..\Run: [Hva] C:\WINNT\System32\Sun.exe
O4 - HKLM\..\Run: [Dqa] C:\WINNT\Qid.exe
O4 - HKLM\..\Run: [Bct] C:\WINNT\Tij.exe
O4 - HKLM\..\Run: [Frg] C:\WINNT\System32\Mbd.exe
O4 - HKLM\..\Run: [Niq] C:\WINNT\System32\Ngg.exe
O4 - HKLM\..\Run: [Olk] C:\WINNT\Nte.exe
O4 - HKLM\..\Run: [Icl] C:\WINNT\System32\Bkq.exe
O4 - HKLM\..\Run: [Bsa] C:\WINNT\System32\Vtd.exe
O4 - HKLM\..\Run: [Mrc] C:\WINNT\System32\Api.exe
O4 - HKLM\..\Run: [Ulj] C:\WINNT\System32\Vno.exe
O4 - HKLM\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKLM\..\Run: [Kvm] C:\WINNT\End.exe
O4 - HKLM\..\Run: [Ejp] C:\WINNT\System32\Cuk.exe
O4 - HKLM\..\Run: [Lih] C:\WINNT\System32\Bqa.exe
O4 - HKLM\..\Run: [Acf] C:\WINNT\Rri.exe
O4 - HKLM\..\Run: [Ivi] C:\WINNT\Ljg.exe
O4 - HKLM\..\Run: [Sag] C:\WINNT\Gqs.exe
O4 - HKLM\..\Run: [Ujk] C:\WINNT\System32\Kmv.exe
O4 - HKLM\..\Run: [Bpt] C:\WINNT\Qka.exe
O4 - HKLM\..\Run: [Jmp] C:\WINNT\System32\Lsa.exe
O4 - HKLM\..\Run: [Qbu] C:\WINNT\Crp.exe
O4 - HKLM\..\Run: [Ail] C:\WINNT\System32\Lgm.exe
O4 - HKLM\..\Run: [Fgv] C:\WINNT\System32\Ugm.exe
O4 - HKLM\..\Run: [Olr] C:\WINNT\Kbk.exe
O4 - HKLM\..\Run: [Nkg] C:\WINNT\Rac.exe
O4 - HKLM\..\Run: [Jrg] C:\WINNT\System32\Uug.exe
O4 - HKLM\..\Run: [Qnj] C:\WINNT\Tos.exe
O4 - HKLM\..\Run: [Isi] C:\WINNT\System32\Bsm.exe
O4 - HKLM\..\Run: [Ddk] C:\WINNT\System32\Qbb.exe
O4 - HKLM\..\Run: [Aco] C:\WINNT\System32\Mul.exe
O4 - HKLM\..\Run: [Dkj] C:\WINNT\Ppt.exe
O4 - HKLM\..\Run: [Cpl] C:\WINNT\Ioi.exe
O4 - HKLM\..\Run: [Mla] C:\WINNT\System32\Mlj.exe
O4 - HKLM\..\Run: [Rdm] C:\WINNT\System32\Nep.exe
O4 - HKLM\..\Run: [Vlc] C:\WINNT\Smd.exe
O4 - HKLM\..\Run: [Fkb] C:\WINNT\System32\Bui.exe
O4 - HKLM\..\Run: [Boq] C:\WINNT\Mkv.exe
O4 - HKLM\..\Run: [Kpl] C:\WINNT\System32\Nnn.exe
O4 - HKLM\..\Run: [Llb] C:\WINNT\Oaq.exe
O4 - HKLM\..\Run: [Ilp] C:\WINNT\System32\Kjj.exe
O4 - HKLM\..\Run: [Bif] C:\WINNT\Jqp.exe
O4 - HKLM\..\Run: [Btv] C:\WINNT\System32\Dlj.exe
O4 - HKLM\..\Run: [Ajj] C:\WINNT\System32\Llk.exe
O4 - HKLM\..\Run: [Ebm] C:\WINNT\System32\Htd.exe
O4 - HKLM\..\Run: [Qpc] C:\WINNT\Tlr.exe
O4 - HKLM\..\Run: [Gof] C:\WINNT\System32\Aql.exe
O4 - HKLM\..\Run: [Dns] C:\WINNT\System32\Qfl.exe
O4 - HKLM\..\Run: [Qda] C:\WINNT\System32\Nqe.exe
O4 - HKLM\..\Run: [Jhl] C:\WINNT\System32\Vlv.exe
O4 - HKLM\..\Run: [Gbj] C:\WINNT\System32\Gcp.exe
O4 - HKLM\..\Run: [Iik] C:\WINNT\System32\Jem.exe
O4 - HKLM\..\Run: [Nmh] C:\WINNT\System32\Cva.exe
O4 - HKLM\..\Run: [Tcq] C:\WINNT\System32\Rhj.exe
O4 - HKLM\..\Run: [Tmv] C:\WINNT\System32\Ial.exe
O4 - HKLM\..\Run: [Afa] C:\WINNT\System32\Khu.exe
O4 - HKLM\..\Run: [Mcg] C:\WINNT\System32\Rln.exe
O4 - HKLM\..\Run: [Mhh] C:\WINNT\System32\Oen.exe
O4 - HKLM\..\Run: [Bni] C:\WINNT\Okn.exe
O4 - HKLM\..\Run: [Idg] C:\WINNT\System32\Ger.exe
O4 - HKLM\..\Run: [Ehi] C:\WINNT\System32\Anh.exe
O4 - HKLM\..\Run: [Cso] C:\WINNT\System32\Jir.exe
O4 - HKLM\..\Run: [Hvi] C:\WINNT\Smr.exe
O4 - HKLM\..\Run: [Nkc] C:\WINNT\System32\Dcm.exe
O4 - HKLM\..\Run: [Uiu] C:\WINNT\System32\Tfm.exe
O4 - HKLM\..\Run: [Bks] C:\WINNT\System32\Hro.exe
O4 - HKLM\..\Run: [Nok] C:\WINNT\System32\Vmg.exe
O4 - HKLM\..\Run: [Qkd] C:\WINNT\System32\Mms.exe
O4 - HKLM\..\Run: [Efn] C:\WINNT\Kjt.exe
O4 - HKLM\..\Run: [Cqs] C:\WINNT\Enu.exe
O4 - HKLM\..\Run: [Pol] C:\WINNT\Eto.exe
O4 - HKLM\..\Run: [Mqp] C:\WINNT\System32\Foc.exe
O4 - HKLM\..\Run: [Env] C:\WINNT\System32\Toc.exe
O4 - HKLM\..\Run: [Jnl] C:\WINNT\System32\Vnl.exe
O4 - HKLM\..\Run: [Vqn] C:\WINNT\System32\Vqm.exe
O4 - HKLM\..\Run: [Sfp] C:\WINNT\System32\Udl.exe
O4 - HKLM\..\Run: [Pde] C:\WINNT\Miv.exe
O4 - HKLM\..\Run: [Lks] C:\WINNT\System32\Uvd.exe
O4 - HKLM\..\Run: [Bcq] C:\WINNT\System32\Ldn.exe
O4 - HKLM\..\Run: [Ums] C:\WINNT\Tbh.exe
O4 - HKLM\..\Run: [Huv] C:\WINNT\System32\Ckg.exe
O4 - HKLM\..\Run: [Phs] C:\WINNT\System32\Bgb.exe
O4 - HKLM\..\Run: [Vpb] C:\WINNT\Nig.exe
O4 - HKLM\..\Run: [Qjt] C:\WINNT\System32\Ndb.exe
O4 - HKLM\..\Run: [Npk] C:\WINNT\Dme.exe
O4 - HKLM\..\Run: [Bpn] C:\WINNT\Ckp.exe
O4 - HKLM\..\Run: [Gtl] C:\WINNT\System32\Mda.exe
O4 - HKLM\..\Run: [Cpb] C:\WINNT\Aln.exe
O4 - HKLM\..\Run: [Lko] C:\WINNT\System32\Lbq.exe
O4 - HKLM\..\Run: [Lui] C:\WINNT\System32\Jgf.exe
O4 - HKLM\..\Run: [Fqo] C:\WINNT\System32\Kra.exe
O4 - HKLM\..\Run: [Nai] C:\WINNT\Ocj.exe
O4 - HKLM\..\Run: [Ods] C:\WINNT\System32\Sbn.exe
O4 - HKLM\..\Run: [Soe] C:\WINNT\Jbu.exe
O4 - HKLM\..\Run: [Jba] C:\WINNT\Rmv.exe
O4 - HKLM\..\Run: [Mdt] C:\WINNT\Rcu.exe
O4 - HKLM\..\Run: [Tbc] C:\WINNT\Lbk.exe
O4 - HKLM\..\Run: [Uao] C:\WINNT\Egi.exe
O4 - HKLM\..\Run: [Knd] C:\WINNT\Bge.exe
O4 - HKLM\..\Run: [Vuu] C:\WINNT\Oth.exe
O4 - HKLM\..\Run: [Nct] C:\WINNT\Jku.exe
O4 - HKLM\..\Run: [Ime] C:\WINNT\Ill.exe
O4 - HKLM\..\Run: [Qfd] C:\WINNT\Kij.exe
O4 - HKLM\..\Run: [Bae] C:\WINNT\Ais.exe
O4 - HKLM\..\Run: [Vnt] C:\WINNT\Tda.exe
O4 - HKLM\..\Run: [Dmr] C:\WINNT\Oes.exe
O4 - HKLM\..\Run: [Pdh] C:\WINNT\Ata.exe
O4 - HKLM\..\Run: [Ksn] C:\WINNT\System32\Ebt.exe
O4 - HKLM\..\Run: [Vkl] C:\WINNT\System32\Ukr.exe
O4 - HKLM\..\Run: [Quc] C:\WINNT\Oru.exe
O4 - HKLM\..\Run: [Tqt] C:\WINNT\Cno.exe
O4 - HKLM\..\Run: [Osh] C:\WINNT\Nho.exe
O4 - HKLM\..\Run: [Bkl] C:\WINNT\Ual.exe
O4 - HKLM\..\Run: [Otl] C:\WINNT\System32\Ngg.exe
O4 - HKLM\..\Run: [Irq] C:\WINNT\Ikb.exe
O4 - HKLM\..\Run: [Bib] C:\WINNT\Qbv.exe
O4 - HKLM\..\Run: [Oou] C:\WINNT\System32\Qdq.exe
O4 - HKLM\..\Run: [Quk] C:\WINNT\Sdm.exe
O4 - HKLM\..\Run: [Ptv] C:\WINNT\Igl.exe
O4 - HKLM\..\Run: [Dms] C:\WINNT\Qrl.exe
O4 - HKLM\..\Run: [Ubr] C:\WINNT\System32\Icv.exe
O4 - HKLM\..\Run: [Pbj] C:\WINNT\System32\Ekq.exe
O4 - HKLM\..\Run: [Jfi] C:\WINNT\System32\Grk.exe
O4 - HKLM\..\Run: [Phl] C:\WINNT\Utv.exe
O4 - HKLM\..\Run: [Rjb] C:\WINNT\System32\Kru.exe
O4 - HKLM\..\Run: [Neg] C:\WINNT\System32\Dsb.exe
O4 - HKLM\..\Run: [Neo] C:\WINNT\Khq.exe
O4 - HKLM\..\Run: [Hao] C:\WINNT\System32\Ape.exe
O4 - HKLM\..\Run: [Osk] C:\WINNT\Vuu.exe
O4 - HKLM\..\Run: [Hbq] C:\WINNT\System32\Fvg.exe
O4 - HKLM\..\Run: [Csi] C:\WINNT\Qqt.exe
O4 - HKLM\..\Run: [Kmc] C:\WINNT\System32\Mir.exe
O4 - HKLM\..\Run: [Ljj] C:\WINNT\System32\Uih.exe
O4 - HKLM\..\Run: [Btr] C:\WINNT\System32\Ugi.exe
O4 - HKLM\..\Run: [Flf] C:\WINNT\System32\Lqq.exe
O4 - HKLM\..\Run: [Ubp] C:\WINNT\System32\Fiq.exe
O4 - HKLM\..\Run: [Cbb] C:\WINNT\Fat.exe
O4 - HKLM\..\Run: [Pvm] C:\WINNT\System32\Tpg.exe
O4 - HKLM\..\Run: [Gnn] C:\WINNT\Prv.exe
O4 - HKLM\..\Run: [Ghb] C:\WINNT\Ond.exe
O4 - HKLM\..\Run: [Mif] C:\WINNT\Fib.exe
O4 - HKLM\..\Run: [Ivg] C:\WINNT\Cuv.exe
O4 - HKLM\..\Run: [Kbf] C:\WINNT\System32\Kno.exe
O4 - HKLM\..\Run: [Otd] C:\WINNT\Orb.exe
O4 - HKLM\..\Run: [Eat] C:\WINNT\System32\Cug.exe
O4 - HKLM\..\Run: [Las] C:\WINNT\System32\Aos.exe
O4 - HKLM\..\Run: [Mrp] C:\WINNT\Fmf.exe
O4 - HKLM\..\Run: [Jir] C:\WINNT\System32\Llu.exe
O4 - HKLM\..\Run: [Sfq] C:\WINNT\Ukt.exe
O4 - HKLM\..\Run: [Mtu] C:\WINNT\System32\Bfk.exe
O4 - HKLM\..\Run: [Ima] C:\WINNT\Gjk.exe
O4 - HKLM\..\Run: [Vom] C:\WINNT\Nvu.exe
O4 - HKLM\..\Run: [Hkb] C:\WINNT\Ika.exe
O4 - HKLM\..\Run: [Jkf] C:\WINNT\Csc.exe
O4 - HKLM\..\Run: [Lgm] C:\WINNT\System32\Fqe.exe
O4 - HKLM\..\Run: [Bjn] C:\WINNT\System32\Ojp.exe
O4 - HKLM\..\Run: [Kom] C:\WINNT\Nbf.exe
O4 - HKLM\..\Run: [Uki] C:\WINNT\System32\Fhu.exe
O4 - HKLM\..\Run: [Hcl] C:\WINNT\System32\Pae.exe
O4 - HKLM\..\Run: [Hce] C:\WINNT\System32\Lsv.exe
O4 - HKLM\..\Run: [Ute] C:\WINNT\System32\Qeu.exe
O4 - HKLM\..\Run: [Gmt] C:\WINNT\Nvp.exe
O4 - HKLM\..\Run: [Ovc] C:\WINNT\System32\Sgk.exe
O4 - HKLM\..\Run: [Epe] C:\WINNT\System32\Dpo.exe
O4 - HKLM\..\Run: [Skd] C:\WINNT\Lkj.exe
O4 - HKLM\..\Run: [Oeu] C:\WINNT\System32\Gdu.exe
O4 - HKLM\..\Run: [Ukb] C:\WINNT\System32\Dsd.exe
O4 - HKLM\..\Run: [Iku] C:\WINNT\System32\Mrp.exe
O4 - HKLM\..\Run: [Okn] C:\WINNT\System32\Rjl.exe
O4 - HKLM\..\Run: [Dkl] C:\WINNT\System32\Fsl.exe
O4 - HKLM\..\Run: [Vsk] C:\WINNT\Mtc.exe
O4 - HKLM\..\Run: [Kpb] C:\WINNT\Rtn.exe
O4 - HKLM\..\Run: [Qul] C:\WINNT\System32\Dcs.exe
O4 - HKLM\..\Run: [Ndf] C:\WINNT\System32\Srf.exe
O4 - HKLM\..\Run: [Ner] C:\WINNT\Oll.exe
O4 - HKLM\..\Run: [Sqs] C:\WINNT\System32\Iqh.exe
O4 - HKLM\..\Run: [Geh] C:\WINNT\System32\Uvl.exe
O4 - HKLM\..\Run: [Ejv] C:\WINNT\System32\Ovt.exe
O4 - HKLM\..\Run: [Psl] C:\WINNT\Qov.exe
O4 - HKLM\..\Run: [Pjq] C:\WINNT\System32\Bre.exe
O4 - HKLM\..\Run: [Eum] C:\WINNT\Tkf.exe
O4 - HKLM\..\Run: [Voh] C:\WINNT\Omc.exe
O4 - HKLM\..\Run: [Vre] C:\WINNT\System32\Njp.exe
O4 - HKLM\..\Run: [Ouu] C:\WINNT\Ami.exe
O4 - HKLM\..\Run: [Uju] C:\WINNT\System32\Ues.exe
O4 - HKLM\..\Run: [Fpa] C:\WINNT\Uvr.exe
O4 - HKLM\..\Run: [Tlm] C:\WINNT\Pfa.exe
O4 - HKLM\..\Run: [Qfi] C:\WINNT\System32\Stu.exe
O4 - HKLM\..\Run: [Vju] C:\WINNT\Dof.exe
O4 - HKLM\..\Run: [Mob] C:\WINNT\System32\Tqt.exe
O4 - HKLM\..\Run: [Osv] C:\WINNT\Urr.exe
O4 - HKLM\..\Run: [Mmf] C:\WINNT\System32\Qgg.exe
O4 - HKLM\..\Run: [Gvs] C:\WINNT\Okq.exe
O4 - HKLM\..\Run: [Vov] C:\WINNT\Nas.exe
O4 - HKLM\..\Run: [Enb] C:\WINNT\Pde.exe
O4 - HKLM\..\Run: [Hmj] C:\WINNT\Asp.exe
O4 - HKLM\..\Run: [Uln] C:\WINNT\System32\Nkf.exe
O4 - HKLM\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKLM\..\Run: [Ecs] C:\WINNT\Jir.exe
O4 - HKLM\..\Run: [Fbh] C:\WINNT\Ftu.exe
O4 - HKLM\..\Run: [Lep] C:\WINNT\Gio.exe
O4 - HKLM\..\Run: [Tov] C:\WINNT\System32\Tnt.exe
O4 - HKLM\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
O4 - HKLM\..\Run: [Eov] C:\WINNT\Jsv.exe
O4 - HKLM\..\Run: [Bnm] C:\WINNT\System32\Uls.exe
O4 - HKLM\..\Run: [Cmk] C:\WINNT\Blg.exe
O4 - HKLM\..\Run: [Sfo] C:\WINNT\System32\Vnl.exe
O4 - HKLM\..\Run: [Urp] C:\WINNT\System32\Tkc.exe
O4 - HKLM\..\Run: [Pcg] C:\WINNT\System32\Cdb.exe
O4 - HKLM\..\Run: [Hkj] C:\WINNT\System32\Dgg.exe
O4 - HKLM\..\Run: [Rrd] C:\WINNT\System32\Ovu.exe
O4 - HKLM\..\Run: [Njh] C:\WINNT\Tmu.exe
O4 - HKLM\..\Run: [Lfi] C:\WINNT\Kaq.exe
O4 - HKLM\..\Run: [Fop] C:\WINNT\Ieb.exe
O4 - HKLM\..\Run: [Kru] C:\WINNT\Ish.exe
O4 - HKLM\..\Run: [Sle] C:\WINNT\Lcs.exe
O4 - HKLM\..\Run: [Hse] C:\WINNT\Bot.exe
O4 - HKLM\..\Run: [Ekc] C:\WINNT\System32\Jsc.exe
O4 - HKLM\..\Run: [Vdp] C:\WINNT\Nfe.exe
O4 - HKLM\..\Run: [Jen] C:\WINNT\System32\Dvo.exe
O4 - HKLM\..\Run: [Nlm] C:\WINNT\Jgl.exe
O4 - HKLM\..\Run: [Ice] C:\WINNT\Gfu.exe
O4 - HKLM\..\Run: [Ous] C:\WINNT\System32\Oev.exe
O4 - HKLM\..\Run: [Qki] C:\WINNT\Igl.exe
O4 - HKLM\..\Run: [Tas] C:\WINNT\System32\Ghq.exe
O4 - HKLM\..\Run: [Uja] C:\WINNT\System32\Jrv.exe
O4 - HKLM\..\Run: [Lag] C:\WINNT\Ikh.exe
O4 - HKLM\..\Run: [Ajh] C:\WINNT\Vjn.exe
O4 - HKLM\..\Run: [Bqo] C:\WINNT\System32\Vkt.exe
O4 - HKLM\..\Run: [Bnc] C:\WINNT\System32\Jfg.exe
O4 - HKLM\..\Run: [Djv] C:\WINNT\Rtv.exe
O4 - HKLM\..\Run: [Bmo] C:\WINNT\System32\Lip.exe
O4 - HKLM\..\Run: [Kdo] C:\WINNT\System32\Ffm.exe
O4 - HKLM\..\Run: [Bbr] C:\WINNT\Dsc.exe
O4 - HKLM\..\Run: [Uqa] C:\WINNT\Idc.exe
O4 - HKLM\..\Run: [Nrp] C:\WINNT\System32\Ntb.exe
O4 - HKLM\..\Run: [Nfm] C:\WINNT\Joo.exe
O4 - HKLM\..\Run: [Kgu] C:\WINNT\System32\Ahu.exe
O4 - HKLM\..\Run: [Bht] C:\WINNT\System32\Nvc.exe
O4 - HKLM\..\Run: [Sgb] C:\WINNT\Dmu.exe
O4 - HKLM\..\Run: [Gli] C:\WINNT\System32\Pef.exe
O4 - HKLM\..\Run: [Atv] C:\WINNT\Fvv.exe
O4 - HKLM\..\Run: [Nqt] C:\WINNT\System32\Iik.exe
O4 - HKLM\..\Run: [Hco] C:\WINNT\Dno.exe
O4 - HKLM\..\Run: [Isd] C:\WINNT\Gqi.exe
O4 - HKLM\..\Run: [Huk] C:\WINNT\System32\Bjo.exe
O4 - HKLM\..\Run: [Smf] C:\WINNT\Alj.exe
O4 - HKLM\..\Run: [Dbo] C:\WINNT\Tss.exe
O4 - HKLM\..\Run: [Lds] C:\WINNT\Muv.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInsta ll
O4 - HKLM\..\Run: [Nhq] C:\WINNT\System32\Boq.exe
O4 - HKLM\..\Run: [Aso] C:\WINNT\Ovu.exe
O4 - HKLM\..\Run: [Aau] C:\WINNT\Gec.exe
O4 - HKLM\..\Run: [Ver] C:\WINNT\Vtg.exe
O4 - HKLM\..\Run: [Hte] C:\WINNT\System32\Dim.exe
O4 - HKLM\..\Run: [Khr] C:\WINNT\System32\Mef.exe
O4 - HKLM\..\Run: [Upl] C:\WINNT\System32\Afa.exe
O4 - HKLM\..\Run: [Oev] C:\WINNT\System32\Nii.exe
O4 - HKLM\..\Run: [Gkd] C:\WINNT\Bnn.exe
O4 - HKCU\..\Run: [e005ROj5V] hpdac.exe
O4 - HKCU\..\Run: [Blb] C:\WINNT\System32\Fdq.exe
O4 - HKCU\..\Run: [Mdr] C:\WINNT\Rvt.exe
O4 - HKCU\..\Run: [Mqo] C:\WINNT\System32\Sgm.exe
O4 - HKCU\..\Run: [Aur] C:\WINNT\Vid.exe
O4 - HKCU\..\Run: [Mpb] C:\WINNT\System32\Pmp.exe
O4 - HKCU\..\Run: [Spd] C:\WINNT\System32\Qve.exe
O4 - HKCU\..\Run: [Qab] C:\WINNT\System32\Dmc.exe
O4 - HKCU\..\Run: [Itg] C:\WINNT\System32\Dsb.exe
O4 - HKCU\..\Run: [Dnv] C:\WINNT\Svh.exe
O4 - HKCU\..\Run: [Frs] C:\WINNT\System32\Jgb.exe
O4 - HKCU\..\Run: [Voe] C:\WINNT\Qat.exe
O4 - HKCU\..\Run: [Vml] C:\WINNT\Jri.exe
O4 - HKCU\..\Run: [Crg] C:\WINNT\System32\Thu.exe
O4 - HKCU\..\Run: [Cva] C:\WINNT\System32\Lmr.exe
O4 - HKCU\..\Run: [Hlu] C:\WINNT\System32\Lhb.exe
O4 - HKCU\..\Run: [Cmb] C:\WINNT\Iuc.exe
O4 - HKCU\..\Run: [Rjv] C:\WINNT\Akh.exe
O4 - HKCU\..\Run: [Ldb] C:\WINNT\System32\Grv.exe
O4 - HKCU\..\Run: [Uru] C:\WINNT\System32\Lnr.exe
O4 - HKCU\..\Run: [Oeg] C:\WINNT\Eqe.exe
O4 - HKCU\..\Run: [Kek] C:\WINNT\System32\Mgc.exe
O4 - HKCU\..\Run: [Lsq] C:\WINNT\Teb.exe
O4 - HKCU\..\Run: [Pme] C:\WINNT\System32\Fto.exe
O4 - HKCU\..\Run: [Tff] C:\WINNT\Npl.exe
O4 - HKCU\..\Run: [Dru] C:\WINNT\Gvj.exe
O4 - HKCU\..\Run: [Kmt] C:\WINNT\System32\Vfi.exe
O4 - HKCU\..\Run: [Atj] C:\WINNT\Hmh.exe
O4 - HKCU\..\Run: [Iia] C:\WINNT\System32\Aql.exe
O4 - HKCU\..\Run: [Dbu] C:\WINNT\System32\Uqp.exe
O4 - HKCU\..\Run: [Jkl] C:\WINNT\System32\Gop.exe
O4 - HKCU\..\Run: [Vll] C:\WINNT\System32\Lur.exe
O4 - HKCU\..\Run: [Ukm] C:\WINNT\System32\Orl.exe
O4 - HKCU\..\Run: [Ojv] C:\WINNT\Lpr.exe
O4 - HKCU\..\Run: [Him] C:\WINNT\System32\Fts.exe
O4 - HKCU\..\Run: [Qfn] C:\WINNT\System32\Gnb.exe
O4 - HKCU\..\Run: [Tsj] C:\WINNT\System32\Dav.exe
O4 - HKCU\..\Run: [Bmg] C:\WINNT\System32\Sbd.exe
O4 - HKCU\..\Run: [Hhk] C:\WINNT\Rum.exe
O4 - HKCU\..\Run: [Hom] C:\WINNT\Dgo.exe
O4 - HKCU\..\Run: [Kro] C:\WINNT\System32\Gjq.exe
O4 - HKCU\..\Run: [Rtt] C:\WINNT\System32\Ofr.exe
O4 - HKCU\..\Run: [Lgr] C:\WINNT\Bvd.exe
O4 - HKCU\..\Run: [Bru] C:\WINNT\Rpt.exe
O4 - HKCU\..\Run: [Bit] C:\WINNT\System32\Euu.exe
O4 - HKCU\..\Run: [Klk] C:\WINNT\Gsc.exe
O4 - HKCU\..\Run: [Pui] C:\WINNT\System32\Sio.exe
O4 - HKCU\..\Run: [Cvd] C:\WINNT\Qee.exe
O4 - HKCU\..\Run: [Vje] C:\WINNT\Fsf.exe
O4 - HKCU\..\Run: [Kqf] C:\WINNT\System32\Fop.exe
O4 - HKCU\..\Run: [Pjd] C:\WINNT\System32\Brp.exe
O4 - HKCU\..\Run: [Dfe] C:\WINNT\Vnp.exe
O4 - HKCU\..\Run: [Irt] C:\WINNT\System32\Atf.exe
O4 - HKCU\..\Run: [Gdq] C:\WINNT\System32\Poo.exe
O4 - HKCU\..\Run: [Ulo] C:\WINNT\System32\Jqm.exe
O4 - HKCU\..\Run: [Vkd] C:\WINNT\Akt.exe
O4 - HKCU\..\Run: [Quf] C:\WINNT\System32\Aqt.exe
O4 - HKCU\..\Run: [Rig] C:\WINNT\Jro.exe
O4 - HKCU\..\Run: [Jok] C:\WINNT\Rqb.exe
O4 - HKCU\..\Run: [Tog] C:\WINNT\System32\Upd.exe
O4 - HKCU\..\Run: [Lbh] C:\WINNT\System32\Mas.exe
O4 - HKCU\..\Run: [Mhu] C:\WINNT\Nmg.exe
O4 - HKCU\..\Run: [Cou] C:\WINNT\Rmc.exe
O4 - HKCU\..\Run: [Dce] C:\WINNT\Uui.exe
O4 - HKCU\..\Run: [Pfm] C:\WINNT\System32\Ekn.exe
O4 - HKCU\..\Run: [Cds] C:\WINNT\Gnh.exe
O4 - HKCU\..\Run: [Rcn] C:\WINNT\Ocb.exe
O4 - HKCU\..\Run: [Cta] C:\WINNT\System32\Ovs.exe
O4 - HKCU\..\Run: [Uss] C:\WINNT\System32\Vhj.exe
O4 - HKCU\..\Run: [Qsl] C:\WINNT\System32\Pkn.exe
O4 - HKCU\..\Run: [Cfq] C:\WINNT\System32\Rdl.exe
O4 - HKCU\..\Run: [Ksb] C:\WINNT\Gqa.exe
O4 - HKCU\..\Run: [Mjf] C:\WINNT\Aqr.exe
O4 - HKCU\..\Run: [Bsr] C:\WINNT\System32\Qrg.exe
O4 - HKCU\..\Run: [Gsj] C:\WINNT\System32\Fep.exe
O4 - HKCU\..\Run: [Lmi] C:\WINNT\Pch.exe
O4 - HKCU\..\Run: [Plv] C:\WINNT\System32\Bgr.exe
O4 - HKCU\..\Run: [Noi] C:\WINNT\System32\Tnm.exe
O4 - HKCU\..\Run: [Euj] C:\WINNT\System32\Rbu.exe
O4 - HKCU\..\Run: [Mid] C:\WINNT\System32\Vui.exe
O4 - HKCU\..\Run: [Oav] C:\WINNT\Jsh.exe
O4 - HKCU\..\Run: [Rhq] C:\WINNT\System32\Usl.exe
O4 - HKCU\..\Run: [Vht] C:\WINNT\System32\Mru.exe
O4 - HKCU\..\Run: [Mer] C:\WINNT\System32\Sul.exe
O4 - HKCU\..\Run: [Vms] C:\WINNT\System32\Vdf.exe
O4 - HKCU\..\Run: [Mdq] C:\WINNT\System32\Tne.exe
O4 - HKCU\..\Run: [Rbg] C:\WINNT\Qfc.exe
O4 - HKCU\..\Run: [Qmm] C:\WINNT\Nhu.exe
O4 - HKCU\..\Run: [Inv] C:\WINNT\Oio.exe
O4 - HKCU\..\Run: [Obj] C:\WINNT\System32\Hbd.exe
O4 - HKCU\..\Run: [Fsu] C:\WINNT\System32\Hsd.exe
O4 - HKCU\..\Run: [Ent] C:\WINNT\Qfl.exe
O4 - HKCU\..\Run: [Mpe] C:\WINNT\Ouj.exe
O4 - HKCU\..\Run: [Tvt] C:\WINNT\Vvp.exe
O4 - HKCU\..\Run: [Cpi] C:\WINNT\Hda.exe
O4 - HKCU\..\Run: [Tev] C:\WINNT\Cuu.exe
O4 - HKCU\..\Run: [Mqq] C:\WINNT\Olb.exe
O4 - HKCU\..\Run: [Rlo] C:\WINNT\Gfn.exe
O4 - HKCU\..\Run: [Fmc] C:\WINNT\Edp.exe
O4 - HKCU\..\Run: [Mhp] C:\WINNT\Ons.exe
O4 - HKCU\..\Run: [Jac] C:\WINNT\Kkt.exe
O4 - HKCU\..\Run: [Lro] C:\WINNT\System32\Pol.exe
O4 - HKCU\..\Run: [Erv] C:\WINNT\Loo.exe
O4 - HKCU\..\Run: [Hiv] C:\WINNT\Qsu.exe
O4 - HKCU\..\Run: [Iie] C:\WINNT\Qlr.exe
O4 - HKCU\..\Run: [Leb] C:\WINNT\System32\Ggs.exe
O4 - HKCU\..\Run: [Aev] C:\WINNT\System32\Tek.exe
O4 - HKCU\..\Run: [Lpk] C:\WINNT\System32\Trc.exe
O4 - HKCU\..\Run: [Bio] C:\WINNT\System32\Rsm.exe
O4 - HKCU\..\Run: [Lat] C:\WINNT\Iuc.exe
O4 - HKCU\..\Run: [Sgg] C:\WINNT\Hho.exe
O4 - HKCU\..\Run: [Qod] C:\WINNT\System32\Vnj.exe
O4 - HKCU\..\Run: [Fmf] C:\WINNT\System32\Ofi.exe
O4 - HKCU\..\Run: [Aek] C:\WINNT\System32\Cvg.exe
O4 - HKCU\..\Run: [Ekk] C:\WINNT\System32\Lse.exe
O4 - HKCU\..\Run: [Cqe] C:\WINNT\Jum.exe
O4 - HKCU\..\Run: [Bkj] C:\WINNT\Qfu.exe
O4 - HKCU\..\Run: [Ubm] C:\WINNT\Fhn.exe
O4 - HKCU\..\Run: [Dhb] C:\WINNT\System32\Noh.exe
O4 - HKCU\..\Run: [Vjv] C:\WINNT\System32\Ebd.exe
O4 - HKCU\..\Run: [Bkf] C:\WINNT\Urb.exe
O4 - HKCU\..\Run: [Gkb] C:\WINNT\System32\Fpf.exe
O4 - HKCU\..\Run: [Lkb] C:\WINNT\Amm.exe
O4 - HKCU\..\Run: [Vlk] C:\WINNT\System32\Pdt.exe
O4 - HKCU\..\Run: [Hkg] C:\WINNT\Dot.exe
O4 - HKCU\..\Run: [Skm] C:\WINNT\System32\Sit.exe
O4 - HKCU\..\Run: [Rvq] C:\WINNT\Ohf.exe
O4 - HKCU\..\Run: [Nrf] C:\WINNT\System32\Mhs.exe
O4 - HKCU\..\Run: [Tva] C:\WINNT\Inp.exe
O4 - HKCU\..\Run: [Mfj] C:\WINNT\Hvr.exe
O4 - HKCU\..\Run: [Ilk] C:\WINNT\Ngu.exe
O4 - HKCU\..\Run: [Tbj] C:\WINNT\Fom.exe
O4 - HKCU\..\Run: [Scg] C:\WINNT\System32\Mhr.exe
O4 - HKCU\..\Run: [Iev] C:\WINNT\System32\Kkv.exe
O4 - HKCU\..\Run: [Ueo] C:\WINNT\Unn.exe
O4 - HKCU\..\Run: [Sop] C:\WINNT\Ifb.exe
O4 - HKCU\..\Run: [Acc] C:\WINNT\System32\Llu.exe
O4 - HKCU\..\Run: [Hjd] C:\WINNT\System32\Tek.exe
O4 - HKCU\..\Run: [Hva] C:\WINNT\System32\Sun.exe
O4 - HKCU\..\Run: [Dqa] C:\WINNT\Qid.exe
O4 - HKCU\..\Run: [Bct] C:\WINNT\Tij.exe
O4 - HKCU\..\Run: [Frg] C:\WINNT\System32\Mbd.exe
O4 - HKCU\..\Run: [Niq] C:\WINNT\System32\Ngg.exe
O4 - HKCU\..\Run: [Olk] C:\WINNT\Nte.exe
O4 - HKCU\..\Run: [Icl] C:\WINNT\System32\Bkq.exe
O4 - HKCU\..\Run: [Bsa] C:\WINNT\System32\Vtd.exe
O4 - HKCU\..\Run: [Mrc] C:\WINNT\System32\Api.exe
O4 - HKCU\..\Run: [Ulj] C:\WINNT\System32\Vno.exe
O4 - HKCU\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKCU\..\Run: [Kvm] C:\WINNT\End.exe
O4 - HKCU\..\Run: [Ejp] C:\WINNT\System32\Cuk.exe
O4 - HKCU\..\Run: [Lih] C:\WINNT\System32\Bqa.exe
O4 - HKCU\..\Run: [Acf] C:\WINNT\Rri.exe
O4 - HKCU\..\Run: [Ivi] C:\WINNT\Ljg.exe
O4 - HKCU\..\Run: [Sag] C:\WINNT\Gqs.exe
O4 - HKCU\..\Run: [Ujk] C:\WINNT\System32\Kmv.exe
O4 - HKCU\..\Run: [Bpt] C:\WINNT\Qka.exe
O4 - HKCU\..\Run: [Jmp] C:\WINNT\System32\Lsa.exe
O4 - HKCU\..\Run: [Qbu] C:\WINNT\Crp.exe
O4 - HKCU\..\Run: [Ail] C:\WINNT\System32\Lgm.exe
O4 - HKCU\..\Run: [Fgv] C:\WINNT\System32\Ugm.exe
O4 - HKCU\..\Run: [Olr] C:\WINNT\Kbk.exe
O4 - HKCU\..\Run: [Nkg] C:\WINNT\Rac.exe
O4 - HKCU\..\Run: [Jrg] C:\WINNT\System32\Uug.exe
O4 - HKCU\..\Run: [Qnj] C:\WINNT\Tos.exe
O4 - HKCU\..\Run: [Isi] C:\WINNT\System32\Bsm.exe
O4 - HKCU\..\Run: [Ddk] C:\WINNT\System32\Qbb.exe
O4 - HKCU\..\Run: [Aco] C:\WINNT\System32\Mul.exe
O4 - HKCU\..\Run: [Dkj] C:\WINNT\Ppt.exe
O4 - HKCU\..\Run: [Cpl] C:\WINNT\Ioi.exe
O4 - HKCU\..\Run: [Mla] C:\WINNT\System32\Mlj.exe
O4 - HKCU\..\Run: [Rdm] C:\WINNT\System32\Nep.exe
O4 - HKCU\..\Run: [Vlc] C:\WINNT\Smd.exe
O4 - HKCU\..\Run: [Fkb] C:\WINNT\System32\Bui.exe
O4 - HKCU\..\Run: [Boq] C:\WINNT\Mkv.exe
O4 - HKCU\..\Run: [Kpl] C:\WINNT\System32\Nnn.exe
O4 - HKCU\..\Run: [Llb] C:\WINNT\Oaq.exe
O4 - HKCU\..\Run: [Ilp] C:\WINNT\System32\Kjj.exe
O4 - HKCU\..\Run: [Bif] C:\WINNT\Jqp.exe
O4 - HKCU\..\Run: [Btv] C:\WINNT\System32\Dlj.exe
O4 - HKCU\..\Run: [Ajj] C:\WINNT\System32\Llk.exe
O4 - HKCU\..\Run: [Ebm] C:\WINNT\System32\Htd.exe
O4 - HKCU\..\Run: [Qpc] C:\WINNT\Tlr.exe
O4 - HKCU\..\Run: [Gof] C:\WINNT\System32\Aql.exe
O4 - HKCU\..\Run: [Dns] C:\WINNT\System32\Qfl.exe
O4 - HKCU\..\Run: [Qda] C:\WINNT\System32\Nqe.exe
O4 - HKCU\..\Run: [Jhl] C:\WINNT\System32\Vlv.exe
O4 - HKCU\..\Run: [Gbj] C:\WINNT\System32\Gcp.exe
O4 - HKCU\..\Run: [Iik] C:\WINNT\System32\Jem.exe
O4 - HKCU\..\Run: [Nmh] C:\WINNT\System32\Cva.exe
O4 - HKCU\..\Run: [Tcq] C:\WINNT\System32\Rhj.exe
O4 - HKCU\..\Run: [Tmv] C:\WINNT\System32\Ial.exe
O4 - HKCU\..\Run: [Afa] C:\WINNT\System32\Khu.exe
O4 - HKCU\..\Run: [Mcg] C:\WINNT\System32\Rln.exe
O4 - HKCU\..\Run: [Mhh] C:\WINNT\System32\Oen.exe
O4 - HKCU\..\Run: [Bni] C:\WINNT\Okn.exe
O4 - HKCU\..\Run: [Idg] C:\WINNT\System32\Ger.exe
O4 - HKCU\..\Run: [Ehi] C:\WINNT\System32\Anh.exe
O4 - HKCU\..\Run: [Cso] C:\WINNT\System32\Jir.exe
O4 - HKCU\..\Run: [Hvi] C:\WINNT\Smr.exe
O4 - HKCU\..\Run: [Nkc] C:\WINNT\System32\Dcm.exe
O4 - HKCU\..\Run: [Uiu] C:\WINNT\System32\Tfm.exe
O4 - HKCU\..\Run: [Bks] C:\WINNT\System32\Hro.exe
O4 - HKCU\..\Run: [Nok] C:\WINNT\System32\Vmg.exe
O4 - HKCU\..\Run: [Qkd] C:\WINNT\System32\Mms.exe
O4 - HKCU\..\Run: [Efn] C:\WINNT\Kjt.exe
O4 - HKCU\..\Run: [Cqs] C:\WINNT\Enu.exe
O4 - HKCU\..\Run: [Pol] C:\WINNT\Eto.exe
O4 - HKCU\..\Run: [Mqp] C:\WINNT\System32\Foc.exe
O4 - HKCU\..\Run: [Env] C:\WINNT\System32\Toc.exe
O4 - HKCU\..\Run: [Jnl] C:\WINNT\System32\Vnl.exe
O4 - HKCU\..\Run: [Vqn] C:\WINNT\System32\Vqm.exe
O4 - HKCU\..\Run: [Sfp] C:\WINNT\System32\Udl.exe
O4 - HKCU\..\Run: [Pde] C:\WINNT\Miv.exe
O4 - HKCU\..\Run: [Lks] C:\WINNT\System32\Uvd.exe
O4 - HKCU\..\Run: [Bcq] C:\WINNT\System32\Ldn.exe
O4 - HKCU\..\Run: [Ums] C:\WINNT\Tbh.exe
O4 - HKCU\..\Run: [Huv] C:\WINNT\System32\Ckg.exe
O4 - HKCU\..\Run: [Phs] C:\WINNT\System32\Bgb.exe
O4 - HKCU\..\Run: [Vpb] C:\WINNT\Nig.exe
O4 - HKCU\..\Run: [Qjt] C:\WINNT\System32\Ndb.exe
O4 - HKCU\..\Run: [Npk] C:\WINNT\Dme.exe
O4 - HKCU\..\Run: [Bpn] C:\WINNT\Ckp.exe
O4 - HKCU\..\Run: [Gtl] C:\WINNT\System32\Mda.exe
O4 - HKCU\..\Run: [Cpb] C:\WINNT\Aln.exe
O4 - HKCU\..\Run: [Lko] C:\WINNT\System32\Lbq.exe
O4 - HKCU\..\Run: [Lui] C:\WINNT\System32\Jgf.exe
O4 - HKCU\..\Run: [Fqo] C:\WINNT\System32\Kra.exe
O4 - HKCU\..\Run: [Nai] C:\WINNT\Ocj.exe
O4 - HKCU\..\Run: [Ods] C:\WINNT\System32\Sbn.exe
O4 - HKCU\..\Run: [Soe] C:\WINNT\Jbu.exe
O4 - HKCU\..\Run: [Jba] C:\WINNT\Rmv.exe
O4 - HKCU\..\Run: [Mdt] C:\WINNT\Rcu.exe
O4 - HKCU\..\Run: [Tbc] C:\WINNT\Lbk.exe
O4 - HKCU\..\Run: [Uao] C:\WINNT\Egi.exe
O4 - HKCU\..\Run: [Knd] C:\WINNT\Bge.exe
O4 - HKCU\..\Run: [Vuu] C:\WINNT\Oth.exe
O4 - HKCU\..\Run: [Nct] C:\WINNT\Jku.exe
O4 - HKCU\..\Run: [Ime] C:\WINNT\Ill.exe
O4 - HKCU\..\Run: [Qfd] C:\WINNT\Kij.exe
O4 - HKCU\..\Run: [Bae] C:\WINNT\Ais.exe
O4 - HKCU\..\Run: [Vnt] C:\WINNT\Tda.exe
O4 - HKCU\..\Run: [Dmr] C:\WINNT\Oes.exe
O4 - HKCU\..\Run: [Pdh] C:\WINNT\Ata.exe
O4 - HKCU\..\Run: [Ksn] C:\WINNT\System32\Ebt.exe
O4 - HKCU\..\Run: [Vkl] C:\WINNT\System32\Ukr.exe
O4 - HKCU\..\Run: [Quc] C:\WINNT\Oru.exe
O4 - HKCU\..\Run: [Tqt] C:\WINNT\Cno.exe
O4 - HKCU\..\Run: [Osh] C:\WINNT\Nho.exe
O4 - HKCU\..\Run: [Bkl] C:\WINNT\Ual.exe
O4 - HKCU\..\Run: [Otl] C:\WINNT\System32\Ngg.exe
O4 - HKCU\..\Run: [Irq] C:\WINNT\Ikb.exe
O4 - HKCU\..\Run: [Bib] C:\WINNT\Qbv.exe
O4 - HKCU\..\Run: [Oou] C:\WINNT\System32\Qdq.exe
O4 - HKCU\..\Run: [Quk] C:\WINNT\Sdm.exe
O4 - HKCU\..\Run: [Ptv] C:\WINNT\Igl.exe
O4 - HKCU\..\Run: [Dms] C:\WINNT\Qrl.exe
O4 - HKCU\..\Run: [Ubr] C:\WINNT\System32\Icv.exe
O4 - HKCU\..\Run: [Pbj] C:\WINNT\System32\Ekq.exe
O4 - HKCU\..\Run: [Jfi] C:\WINNT\System32\Grk.exe
O4 - HKCU\..\Run: [Phl] C:\WINNT\Utv.exe
O4 - HKCU\..\Run: [Rjb] C:\WINNT\System32\Kru.exe
O4 - HKCU\..\Run: [Neg] C:\WINNT\System32\Dsb.exe
O4 - HKCU\..\Run: [Neo] C:\WINNT\Khq.exe
O4 - HKCU\..\Run: [Hao] C:\WINNT\System32\Ape.exe
O4 - HKCU\..\Run: [Osk] C:\WINNT\Vuu.exe
O4 - HKCU\..\Run: [Hbq] C:\WINNT\System32\Fvg.exe
O4 - HKCU\..\Run: [Csi] C:\WINNT\Qqt.exe
O4 - HKCU\..\Run: [Kmc] C:\WINNT\System32\Mir.exe
O4 - HKCU\..\Run: [Ljj] C:\WINNT\System32\Uih.exe
O4 - HKCU\..\Run: [Btr] C:\WINNT\System32\Ugi.exe
O4 - HKCU\..\Run: [Flf] C:\WINNT\System32\Lqq.exe
O4 - HKCU\..\Run: [Ubp] C:\WINNT\System32\Fiq.exe
O4 - HKCU\..\Run: [Cbb] C:\WINNT\Fat.exe
O4 - HKCU\..\Run: [Pvm] C:\WINNT\System32\Tpg.exe
O4 - HKCU\..\Run: [Gnn] C:\WINNT\Prv.exe
O4 - HKCU\..\Run: [Ghb] C:\WINNT\Ond.exe
O4 - HKCU\..\Run: [Mif] C:\WINNT\Fib.exe
O4 - HKCU\..\Run: [Ivg] C:\WINNT\Cuv.exe
O4 - HKCU\..\Run: [Kbf] C:\WINNT\System32\Kno.exe
O4 - HKCU\..\Run: [Otd] C:\WINNT\Orb.exe
O4 - HKCU\..\Run: [Eat] C:\WINNT\System32\Cug.exe
O4 - HKCU\..\Run: [Las] C:\WINNT\System32\Aos.exe
O4 - HKCU\..\Run: [Mrp] C:\WINNT\Fmf.exe
O4 - HKCU\..\Run: [Jir] C:\WINNT\System32\Llu.exe
O4 - HKCU\..\Run: [Sfq] C:\WINNT\Ukt.exe
O4 - HKCU\..\Run: [Mtu] C:\WINNT\System32\Bfk.exe
O4 - HKCU\..\Run: [Ima] C:\WINNT\Gjk.exe
O4 - HKCU\..\Run: [Vom] C:\WINNT\Nvu.exe
O4 - HKCU\..\Run: [Hkb] C:\WINNT\Ika.exe
O4 - HKCU\..\Run: [Jkf] C:\WINNT\Csc.exe
O4 - HKCU\..\Run: [Lgm] C:\WINNT\System32\Fqe.exe
O4 - HKCU\..\Run: [Bjn] C:\WINNT\System32\Ojp.exe
O4 - HKCU\..\Run: [Kom] C:\WINNT\Nbf.exe
O4 - HKCU\..\Run: [Uki] C:\WINNT\System32\Fhu.exe
O4 - HKCU\..\Run: [Hcl] C:\WINNT\System32\Pae.exe
O4 - HKCU\..\Run: [Hce] C:\WINNT\System32\Lsv.exe
O4 - HKCU\..\Run: [Ute] C:\WINNT\System32\Qeu.exe
O4 - HKCU\..\Run: [Gmt] C:\WINNT\Nvp.exe
O4 - HKCU\..\Run: [Ovc] C:\WINNT\System32\Sgk.exe
O4 - HKCU\..\Run: [Epe] C:\WINNT\System32\Dpo.exe
O4 - HKCU\..\Run: [Skd] C:\WINNT\Lkj.exe
O4 - HKCU\..\Run: [Oeu] C:\WINNT\System32\Gdu.exe
O4 - HKCU\..\Run: [Ukb] C:\WINNT\System32\Dsd.exe
O4 - HKCU\..\Run: [Iku] C:\WINNT\System32\Mrp.exe
O4 - HKCU\..\Run: [Okn] C:\WINNT\System32\Rjl.exe
O4 - HKCU\..\Run: [Dkl] C:\WINNT\System32\Fsl.exe
O4 - HKCU\..\Run: [Vsk] C:\WINNT\Mtc.exe
O4 - HKCU\..\Run: [Kpb] C:\WINNT\Rtn.exe
O4 - HKCU\..\Run: [Qul] C:\WINNT\System32\Dcs.exe
O4 - HKCU\..\Run: [Ndf] C:\WINNT\System32\Srf.exe
O4 - HKCU\..\Run: [Ner] C:\WINNT\Oll.exe
O4 - HKCU\..\Run: [Sqs] C:\WINNT\System32\Iqh.exe
O4 - HKCU\..\Run: [Geh] C:\WINNT\System32\Uvl.exe
O4 - HKCU\..\Run: [Ejv] C:\WINNT\System32\Ovt.exe
O4 - HKCU\..\Run: [Psl] C:\WINNT\Qov.exe
O4 - HKCU\..\Run: [Pjq] C:\WINNT\System32\Bre.exe
O4 - HKCU\..\Run: [Eum] C:\WINNT\Tkf.exe
O4 - HKCU\..\Run: [Voh] C:\WINNT\Omc.exe
O4 - HKCU\..\Run: [Vre] C:\WINNT\System32\Njp.exe
O4 - HKCU\..\Run: [Ouu] C:\WINNT\Ami.exe
O4 - HKCU\..\Run: [Uju] C:\WINNT\System32\Ues.exe
O4 - HKCU\..\Run: [Fpa] C:\WINNT\Uvr.exe
O4 - HKCU\..\Run: [Tlm] C:\WINNT\Pfa.exe
O4 - HKCU\..\Run: [Qfi] C:\WINNT\System32\Stu.exe
O4 - HKCU\..\Run: [Vju] C:\WINNT\Dof.exe
O4 - HKCU\..\Run: [Mob] C:\WINNT\System32\Tqt.exe
O4 - HKCU\..\Run: [Osv] C:\WINNT\Urr.exe
O4 - HKCU\..\Run: [Mmf] C:\WINNT\System32\Qgg.exe
O4 - HKCU\..\Run: [Gvs] C:\WINNT\Okq.exe
O4 - HKCU\..\Run: [Vov] C:\WINNT\Nas.exe
O4 - HKCU\..\Run: [Enb] C:\WINNT\Pde.exe
O4 - HKCU\..\Run: [Hmj] C:\WINNT\Asp.exe
O4 - HKCU\..\Run: [Uln] C:\WINNT\System32\Nkf.exe
O4 - HKCU\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKCU\..\Run: [Ecs] C:\WINNT\Jir.exe
O4 - HKCU\..\Run: [Fbh] C:\WINNT\Ftu.exe
O4 - HKCU\..\Run: [Lep] C:\WINNT\Gio.exe
O4 - HKCU\..\Run: [Tov] C:\WINNT\System32\Tnt.exe
O4 - HKCU\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
O4 - HKCU\..\Run: [Eov] C:\WINNT\Jsv.exe
O4 - HKCU\..\Run: [Bnm] C:\WINNT\System32\Uls.exe
O4 - HKCU\..\Run: [Cmk] C:\WINNT\Blg.exe
O4 - HKCU\..\Run: [Sfo] C:\WINNT\System32\Vnl.exe
O4 - HKCU\..\Run: [Urp] C:\WINNT\System32\Tkc.exe
O4 - HKCU\..\Run: [Pcg] C:\WINNT\System32\Cdb.exe
O4 - HKCU\..\Run: [Hkj] C:\WINNT\System32\Dgg.exe
O4 - HKCU\..\Run: [Rrd] C:\WINNT\System32\Ovu.exe
O4 - HKCU\..\Run: [Njh] C:\WINNT\Tmu.exe
O4 - HKCU\..\Run: [Lfi] C:\WINNT\Kaq.exe
O4 - HKCU\..\Run: [Fop] C:\WINNT\Ieb.exe
O4 - HKCU\..\Run: [Kru] C:\WINNT\Ish.exe
O4 - HKCU\..\Run: [Pka] C:\WINNT\System32\Ehn.exe
O4 - HKCU\..\Run: [Qlr] C:\WINNT\Lfj.exe
O4 - HKCU\..\Run: [Ubc] C:\WINNT\System32\Jbk.exe
O4 - HKCU\..\Run: [Nic] C:\WINNT\Orp.exe
O4 - HKCU\..\Run: [Djs] C:\WINNT\Apg.exe
O4 - HKCU\..\Run: [Ofp] C:\WINNT\Rbi.exe
O4 - HKCU\..\Run: [Ldv] C:\WINNT\Jop.exe
O4 - HKCU\..\Run: [Buf] C:\WINNT\Nsu.exe
O4 - HKCU\..\Run: [Tpr] C:\WINNT\Kbm.exe
O4 - HKCU\..\Run: [Qbd] C:\WINNT\System32\Jul.exe
O4 - HKCU\..\Run: [Djq] C:\WINNT\System32\Iis.exe
O4 - HKCU\..\Run: [Cok] C:\WINNT\System32\Puc.exe
O4 - HKCU\..\Run: [Qpd] C:\WINNT\Nok.exe
O4 - HKCU\..\Run: [Jhh] C:\WINNT\Luo.exe
O4 - HKCU\..\Run: [Mtv] C:\WINNT\System32\Lvn.exe
O4 - HKCU\..\Run: [Cft] C:\WINNT\System32\Jkg.exe
O4 - HKCU\..\Run: [Una] C:\WINNT\System32\Kja.exe
O4 - HKCU\..\Run: [Hdv] C:\WINNT\Gah.exe
O4 - HKCU\..\Run: [Tgd] C:\WINNT\System32\Oae.exe
O4 - HKCU\..\Run: [Vrj] C:\WINNT\Duj.exe
O4 - HKCU\..\Run: [Cfj] C:\WINNT\Fan.exe
O4 - HKCU\..\Run: [Kia] C:\WINNT\Vsd.exe
O4 - HKCU\..\Run: [Okd] C:\WINNT\Sbj.exe
O4 - HKCU\..\Run: [Vgc] C:\WINNT\System32\Pse.exe
O4 - HKCU\..\Run: [Pcj] C:\WINNT\Uvp.exe
O4 - HKCU\..\Run: [Pel] C:\WINNT\System32\Qfs.exe
O4 - HKCU\..\Run: [Hdn] C:\WINNT\Csd.exe
O4 - HKCU\..\Run: [Ftj] C:\WINNT\System32\Svo.exe
O4 - HKCU\..\Run: [Fdh] C:\WINNT\System32\Fek.exe
O4 - HKCU\..\Run: [Jbp] C:\WINNT\Dlb.exe
O4 - HKCU\..\Run: [Kto] C:\WINNT\Scn.exe
O4 - HKCU\..\Run: [Omq] C:\WINNT\System32\Npv.exe
O4 - HKCU\..\Run: [Qis] C:\WINNT\Tbi.exe
O4 - HKCU\..\Run: [Kqd] C:\WINNT\System32\Vco.exe
O4 - HKCU\..\Run: [Nhq] C:\WINNT\System32\Boq.exe
O4 - HKCU\..\Run: [Aso] C:\WINNT\Ovu.exe
O4 - HKCU\..\Run: [Aau] C:\WINNT\Gec.exe
O4 - HKCU\..\Run: [Ver] C:\WINNT\Vtg.exe
O4 - HKCU\..\Run: [Hte] C:\WINNT\System32\Dim.exe
O4 - HKCU\..\Run: [Khr] C:\WINNT\System32\Mef.exe
O4 - HKCU\..\Run: [Upl] C:\WINNT\System32\Afa.exe
O4 - HKCU\..\Run: [Oev] C:\WINNT\System32\Nii.exe
O4 - HKCU\..\Run: [Gkd] C:\WINNT\Bnn.exe
Reboot and post a new hijackthis log by copying and pasting it here as a reply to this this post.
I have been in to look at the system this morning, and it is still running only a handful of processes, so nothing else has happened - so far.
It occurred to me this morning that the huge MWAV log would be because it displayed 5 lines for each of the 1700-odd processes it killed. If it would help I could cut these out and copy/paste in the rest. Let me know.
The Lady is quite contrite about the lack of AV on the server - her worstations are protected with AVAST or AVG - she probably did not know what to get for the server.
The MWAV thing seemed quite powerful, and I saw that it invited purchase of a copy for not a lot at the end of the scan. Do you think this would be effective?
Thanks again ............. Iain
Iain
I have taken out the listed items via HJT, and the remaining log items are a bit more manageable now! I paste it in below, and await further (and much appreciated) instructions.
Thanks .... Iain
Logfile of HijackThis v1.99.1
Scan saved at 20:18:51, on 12/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\explorer.exe
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7633DBB9-96B2-40BE-84E5-8713F987DE8E} - C:\WINNT\System32\kpf.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [logon.exe] C:\WINNT\System32\logon.exe
O4 - HKLM\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKLM\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKLM\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O18 - Filter: text/html - {D6E83E24-185F-4F15-A8FB-9EA72E6ABEF3} - C:\WINNT\System32\kpf.dll
O18 - Filter: text/plain - {D6E83E24-185F-4F15-A8FB-9EA72E6ABEF3} - C:\WINNT\System32\kpf.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Fix these lines with hijackthis.
O4 - HKLM\..\Run: [logon.exe] C:\WINNT\System32\logon.exe
O4 - HKLM\..\Run: [Iqk] C:\WINNT\System32\Sjq.exe
O4 - HKLM\..\Run: [Jiu] C:\WINNT\System32\Aim.exe
O4 - HKLM\..\Run: [Cin] C:\WINNT\System32\Lvc.exe
Make a new folder on your desktop and name it 'SpSeHjfix112'.
Download SpSeHjfix112 place it in the new folder and unzip the program.
http://www.derbilk.de/SpSeHjfix112.zip
Disconnect from the net and Close ALL OPEN PROGRAMS.
Run SpSeHjfix112 and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.
Please post a new hijackthis log and the log from SpSeHjfix.
Instructions followed, and HJT log pasted below. The other file created - test.reg - was difficult to open, so I have renamed it test.txt and attached it
I noticed that IE opened on re-start, going to downloader.tibsystems.com
and afterwards AdAware found and stopped 10 objects styled tib browser.
Cheers ..... Iain
Logfile of HijackThis v1.99.1
Scan saved at 14:19:05, on 13/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ibs.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
Please run at least two of these online scans.
Make sure they are set to clean automatically:
Panda Virus Scan
Bit Defender
TrendMicro Housecall
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log and the info from your virus scans.
3 HJT items fixed, log follows at the end of the post
I was able to run the PANDA and Bit Defender, but the system would not start Housecall. I also ran the McAfee equivalent, and its log is posted after Bit Defender's.
I also deleted IE's saved files
I hope all this helps ..... Iain
Panda items -
Incident Status Location
Adware:Adware/nCase No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\180SAInstaller.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.fr606C\common.dll
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frA6B4
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frE2FD
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.frECAF
Virus:Bck/Agent.RS Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\vx2.game
Adware:Adware/Tibs No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\vx3.game
Adware:Adware/WinTools No disinfected C:\Downloads\backups\backup-20050510-203213-264.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll.mwt
Virus:Bck/Agent.RS Disinfected C:\RECYCLER\svchost.exe
Virus:Bck/Zins.I Disinfected C:\sys237927985.exe.mwt
Virus:Trj/Downloader.BWL Renamed C:\trig.dtl
Virus:Bck/Zins.I Disinfected C:\WINNT\sys4122.exe.mwt
Virus:Bck/Agent.RS Disinfected C:\WINNT\system\svchost.exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\system32\bln02nqv.exe
Adware:Adware/Nowfind No disinfected C:\WINNT\system32\hst32.dll
Virus:Bck/Zins.I Disinfected C:\WINNT\system32\logon.exe.mwt
Virus:Trj/Hooker.G Disinfected C:\WINNT\system32\rch.dll
Adware:Adware/Adsmart No disinfected C:\WINNT\system32\thun.dll
Adware:Adware/Adsmart No disinfected C:\WINNT\system32\vx.tll
Virus:Bck/Agent.RS Disinfected C:\WINNT\system32\vxgame2.exe
Adware:Adware/Tibs No disinfected C:\WINNT\system32\vxgame3.exe
Adware:Adware/Nowfind No disinfected C:\WINNT\system32\wcnl32.dll
Adware:Adware/Ucmore No disinfected C:\WINNT\ucmoreiex.exe Bit Defender - report follows -
C:\Documents and Settings\Administrator\Local Settings\Temp\125957.exe: infected with Trojan.DownLoader.1336
C:\Documents and Settings\Administrator\Local Settings\Temp\125957.exe: disinfection failed
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NO9M9K1G\125957[1].exe: infected with Trojan.PornDialer.BP
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NO9M9K1G\125957[1].exe: disinfection failed
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BTV.zip=>sbRecovery.reg: password protected
McAfee
List of Infected Files
File Name Virus Name
C:\Documents and Settings\...\Temp\temp.frA6B4 StartPage-DU.dll
C:\Documents and Settings\...\Temp\temp.frE2FD StartPage-DU.dll
C:\Documents and Settings\...\Temp\vx3.game Generic Downloader.f
C:\sys237927985.exe.mwt BackDoor-AWV
C:\WINNT\sys4122.exe.mwt BackDoor-AWV
C:\WINNT\system32\logon.exe.mwt BackDoor-AWV
C:\WINNT\system32\vxgame3.exe Generic Downloader.f
HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 09:34:50, on 15/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ibs.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\hijackthis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.virgin.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O15 - Trusted Zone: http://*.windowsupdate.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
Delete these files/folders, if found:
C:\Program Files\CxtPls
C:\WINNT\system32\bln02nqv.exe
C:\WINNT\system32\hst32.dll
C:\WINNT\system32\thun.dll
C:\WINNT\system32\vx.tll
C:\WINNT\system32\vxgame3.exe
C:\WINNT\system32\wcnl32.dll
C:\WINNT\ucmoreiex.exe
Download, install, and run CleanUp 4.0
http://cleanup.stevengould.org/
Are you having any more problems?
and I am sorry, this is turning into a bit of a marathon for you. I found and deleted each of the files you listed, and ran the clean-up, but when it re-booted it started to be hijacked again.
The attached log shows unwelcome R0 and R1 items.
I followed up by running AdAware and it found and claimed to delete 42 items - 9 TIB Browser, 9 Alexa, 21 CoolWebSearch and 1 "Possible browser Hi-jack attempt".
I am inclined to remove any programs not immediately needed - for example, someone put on "NoAdware" which seems to be kosher, but ....
Further thoughts will be welcome. I would also like to see an appropriate Anti-Virus installed - have you any favourites for this scenario?
All the best ...... Iain
Logfile of HijackThis v1.99.1
Scan saved at 19:19:25, on 16/05/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP1 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\loadqm.exe
C:\WINNT\System32\rundll32.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {CC57F8C2-E4FE-464B-8E07-8DEB78B8B682} - C:\WINNT\System32\eken.dll (file missing)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O18 - Filter: text/html - {A7EA01D6-272B-441F-9B6D-F993AA60C5B3} - C:\WINNT\System32\eken.dll
O18 - Filter: text/plain - {A7EA01D6-272B-441F-9B6D-F993AA60C5B3} - C:\WINNT\System32\eken.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Download SpSeHjfix112 place it in the new folder and unzip the program.
http://www.derbilk.de/SpSeHjfix112.zip
Disconnect from the net and Close ALL OPEN PROGRAMS.
Run SpSeHjfix112 and click on "Start Disinfection".
When it's finished it will reboot your machine to finish the cleaning process.
The tool creates a log of the fix which will appear in the new folder.
Please post a new hijackthis log and the log from SpSeHjfix.
Please download and install AVG antivirus. Follow the prompts to download and install all updates and then run a complete scan.
http://free.grisoft.com/doc/Get+AVG+FREE/lng/us/tpl/v5
Let me know what AVG finds.
Ran SpSeHjfix, and this time saw how to capture the log. The posting below shows
1. HJ log after SpSeHjfix
2. SpSeHjfix log
3. HJ log after running AVG
I had to use the trial Server version of AVG - the free version refuses to load.
On the initial run AVG found 3 trojans
C:misb.exe Troajan Horse Dialer
C:documents and settings\Administrator\local settings\temo\tempFr4b30
C:Program Files\Web Site Viewer\125957.exe
and healed all 3.
It then sporadically reports the presence of BackDoor.Agent.BA in C:WINNT\system32\msdn.dll but can neither heal nor put it to vault - so continue is the only option.
S-T-I-N-G-E-R found nothing, but TIB Browser is still there for AdAware to find and delete.
On re-boot AVG finds and kills again the 3 trojans.
Cheers .... Iain
ogfile of HijackThis v1.99.1
Scan saved at 18:03:30, on 17/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Log from SpSeHjfix
(5/17/05 17:27:44) SPSeHjFix started v1.1.2
(5/17/05 17:27:44) OS: Win2000 Service Pack 2 (5.0.2195)
(5/17/05 17:27:44) Language: english
(5/17/05 17:27:44) Win-Path: C:\WINNT
(5/17/05 17:27:44) System-Path: C:\WINNT\System32
(5/17/05 17:27:44) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/17/05 17:27:51) Disinfection started
(5/17/05 17:27:51) Bad-Dll(IEP): c:\docume~1\admini~1\locals~1\temp\se.dll
(5/17/05 17:27:51) Searchassistant Uninstaller found: regsvr32 /s /u C:\WINNT\System32\cjbb.dll
(5/17/05 17:27:51) Searchassistant Uninstaller - Keys Deleted
(5/17/05 17:27:51) UBF: 6 - UBB: 1 - UBR: 5
(5/17/05 17:27:51) FilterKey: HKCR\text/html (deleted)
(5/17/05 17:27:51) FilterKey: HKCR\CLSID\{0E43BD74-B70C-443A-A6AE-08CEE3CF1CAD} (deleted)
(5/17/05 17:27:51) FilterKey: HKLM\SOFTWARE\Classes\text/html (error while deleting)
(5/17/05 17:27:51) FilterKey: HKCR\text/plain (deleted)
(5/17/05 17:27:51) FilterKey: HKCR\CLSID\{0E43BD74-B70C-443A-A6AE-08CEE3CF1CAD} (error while deleting)
(5/17/05 17:27:51) FilterKey: HKLM\SOFTWARE\Classes\text/plain (error while deleting)
(5/17/05 17:27:51) BHO-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BFF5A8F-7400-48DE-ABD1-E2A4471F8BC4} (deleted)
(5/17/05 17:27:51) BHO-Key: HKCR\CLSID\{9BFF5A8F-7400-48DE-ABD1-E2A4471F8BC4} (deleted)
(5/17/05 17:27:51) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/17/05 17:27:51) UBF: 4 - UBB: 0 - UBR: 4
(5/17/05 17:27:51) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/sp.html
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKCU\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Bar: res://c:\docume~1\admini~1\locals~1\temp\se.dll/sp.html
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Start Page: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, HomeOldSP: about:blank
deleted: HKLM\Software\Microsoft\Internet Explorer\Search, SearchAssistant: about:blank
(5/17/05 17:27:51) Stealth-String not found
(5/17/05 17:27:51) File added to delete: c:\winnt\system32\cjbb.dll
(5/17/05 17:27:51) File added to delete: c:\docume~1\admini~1\locals~1\temp\se.dll
(5/17/05 17:27:51) Reboot
(5/17/05 17:31:35) SPSeHjFix started v1.1.2
(5/17/05 17:31:35) OS: Win2000 Service Pack 4 (5.0.2195)
(5/17/05 17:31:35) Language: english
(5/17/05 17:31:35) Win-Path: C:\WINNT
(5/17/05 17:31:35) System-Path: C:\WINNT\system32
(5/17/05 17:31:35) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/17/05 17:34:37) Disinfection started
(5/17/05 17:34:37) Bad-Dll(IEP): (not found)
(5/17/05 17:34:37) Bad-Dll(IEP) in BHO: (not found)
(5/17/05 17:34:38) UBF: 4 - UBB: 0 - UBR: 4
(5/17/05 17:34:38) UBF: 4 - UBB: 0 - UBR: 4
(5/17/05 17:34:38) Run-Key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\sp=rundll32 C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll,DllInstall (deleted)
(5/17/05 17:34:38) Bad IE-pages: (none)
(5/17/05 17:34:38) Stealth-String not found
(5/17/05 17:34:38) File added to delete: c:\docume~1\admini~1\locals~1\temp\se.dll
(5/17/05 17:34:38) Reboot
(5/17/05 17:36:45) SPSeHjFix started v1.1.2
(5/17/05 17:36:45) OS: Win2000 Service Pack 4 (5.0.2195)
(5/17/05 17:36:45) Language: english
(5/17/05 17:36:45) Win-Path: C:\WINNT
(5/17/05 17:36:45) System-Path: C:\WINNT\system32
(5/17/05 17:36:45) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/17/05 20:26:32) SPSeHjFix started v1.1.2
(5/17/05 20:26:32) OS: Win2000 Service Pack 4 (5.0.2195)
(5/17/05 20:26:32) Language: english
(5/17/05 20:26:32) Win-Path: C:\WINNT
(5/17/05 20:26:32) System-Path: C:\WINNT\system32
(5/17/05 20:26:32) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/17/05 20:26:41) Disinfection started
(5/17/05 20:26:41) Bad-Dll(IEP): (not found)
(5/17/05 20:26:41) Bad-Dll(IEP) in BHO: (not found)
(5/17/05 20:26:41) UBF: 4 - UBB: 0 - UBR: 4
(5/17/05 20:26:41) UBF: 4 - UBB: 0 - UBR: 4
(5/17/05 20:26:41) Bad IE-pages: (none)
(5/17/05 20:26:41) Stealth-String not found
(5/17/05 20:26:41) Not infected->END
HJT AFTER AVG run
Logfile of HijackThis v1.99.1
Scan saved at 21:20:24, on 17/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Downloads\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [AuFlag]
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O20 - AppInit_DLLs: C:\WINNT\System32\msdn.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [AuFlag]
O20 - AppInit_DLLs: C:\WINNT\System32\msdn.dll
Download KillBox and unzip it to your desktop.
http://www.downloads.subratam.org/KillBox.zip
Open Killbox and select the Delete on reboot option.
Copy and paste the following file to the field labeled "Full path of file to delete"
C:\WINNT\System32\msdn.dll
Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.
Your computer will reboot.
Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.
Reboot your computer into Safe Mode
Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.
Post the contents of C:\log.txt in your next reply along with a new hijackthis log.
Steps followed. However, HJT when fixing threw up 2 error messages, but I lost the first one when it was replaced on the clipboard with No 2.
The 03 item for removal seems to have been replaced by another??
The saved HJT error message comes first on the stuff below. Then the is HJT log at that point; followed by the log from SKADS, and then the final HJT log.
Cheers, and thanks .......... Iain
Unexpected error occurred!
Error #52 (Bad file name or number) in Sub GetLongPath(.exe).
Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.
This message has been copied to your clipboard.
HJT Log after the above msg
Logfile of HijackThis v1.99.1
Scan saved at 17:52:07, on 18/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\notepad.exe
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
C:\SKADS
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
C:\WINNT\system32\ODBCJET.HLP: +0`3Spec2
Files Found in all users startup Folder............
Files Found in all users windows Folder............
C:\WINNT\ibs.exe: UPX!
Finished
bye
Further HJT after rkfiles run
Logfile of HijackThis v1.99.1
Scan saved at 19:04:37, on 18/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
C:\WINNT\ibs.exe
If it gives you trouble, use Killbox following the same procedure that I outlined previously.
Let me know what problems you are still having.
Thanks - after this last change things now look good!
There is no sign of hijacking: and AVG, AdAware and Spybot all give clean results. I attach below what I hope is the last HJT log you see from me.
The machine sits behind a VIGOR 2600plus router which has firewall facilities, but I wonder if I should have a software firewall as well - but maybe I should open another thread with that sort of question.
I really am most grateful for the time and skill you have given to sorting out someone-else's problem.
Best wishes ...... Iain
Logfile of HijackThis v1.99.1
Scan saved at 18:29:12, on 19/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2plxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\llssrv.exe
C:\MSSQL7\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\Dfssvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Atiptaxx.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINNT\System32\svchost.exe
C:\Downloads\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Virgin.net
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Second Copy 2000] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4489/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{90FC027B-CEDA-4613-A3E2-D73555179557}: NameServer = 10.0.0.254
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2plxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
- Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
- Make your Internet Explorer more secure - This can be done by following these simple instructions:
- From within Internet Explorer click on the Tools menu and then click on Options.
- Click once on the Security tab
- Click once on the Internet icon so it becomes highlighted.
- Click once on the Custom Level button.
- Change the Download signed ActiveX controls to Prompt
- Change the Download unsigned ActiveX controls to Disable
- Change the Initialize and script ActiveX controls not marked as safe to Disable
- Change the Installation of desktop items to Prompt
- Change the Launching programs and files in an IFRAME to Prompt
- Change the Navigate sub-frames across different domains to Prompt
- When all these settings have been made, click on the OK button.
- If it prompts you as to whether or not you want to save the settings, press the Yes button.
- Next press the Apply button and then the OK to exit the Internet Properties page.
- Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Renable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware