1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

explorer.exe 0xc0000005 error

Discussion in 'Virus & Other Malware Removal' started by jeff1111, Apr 18, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    Hopefully I am posting this is the right section.

    Running Windows XP

    Last week I was getting an error upon login to windows where it said a file
    called: browsseui.dll was corrupt.
    no icons would show up on the desktop and i could not get to my files (explorer) or folders.

    i could access the task manager so i copied a new browseseui.dll file to the folder
    c:\windows\system32 and it fixed the problem, though every day it would reappear.

    avast virus scan and ms defender found no viruses

    today i got the same problem but also and error message
    explorer.exe 0xc0000005 error

    again no desktop icons and unable to get to files or folders-- even when i replaced the browseui.dll file

    have searched around but not finding a solution....

    i already tried a system restore to a couple weeks ago
    and no change. i also already tried to download a patch but that
    did nothing.


    suggestions appreciated....

    though remember i do not have a way to find or get to a file i may download. unless someone can tell me how to do that as well.

    this is a business computer with many files i need to access and/or copy off so any help would be greatly
    appreciated.

    thanks.
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111.:)

    Welcome to TSG.

    [​IMG]Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  3. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    Thanks, I did as you posted, here is the Hijack This log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:17:12 PM, on 4/18/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\AOL\Loader\aolload.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.createthechange.com/news.htm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vitagenesis.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: del.icio.us Toolbar Helper - {7AA07AE6-01EF-44EC-93CA-9D7CD41CCDB6} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
    O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
    O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: hpoddt01.exe.lnk = ?
    O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
    O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
    O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
    O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
    O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm265MFUS
    O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
    O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15-3.cab
    O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_6_1/controls/ybrequest.cab
    O16 - DPF: {C9DB5AF8-4C14-4A3E-90F8-DB49D6B4866D} (YBUICtrl.FloatWnd.1) - http://racing.youbet.com/wr_6_1/controls/YBUICtrl.cab
    O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9109 bytes
     
  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111 :)

    Please re-open HijackThis and scan. Check the boxes next to all the entries listed below.

    R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i

    Now close all windows and browsers, other than HiJackThis, then click Fix Checked.

    Close Hijackthis.

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    .

    Please go to Start > Control Panel > Add/Remove Programs and remove the following (if present):

    MyWebSearch

    Please note any other programs that you dont recognize in that list in your next response

    Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

    C:\Program Files\MyWebSearch

    Restart the computer.

    [​IMG]Download Deckard's System Scanner (DSS) from here or here to your Desktop. Note: You must be logged onto an account with administrator privileges.
    1. Close all applications and windows.
    2. Double-click on dss.exe to run it, and follow the prompts.
    3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
    4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of both, the main.txt and the extra.txt in your next reply.
    If the files are too long, attach them to a reply:
    1. Scroll down and click the [Manage Attachments] button
    2. Browse to the following folder:
      • C:\Deckard\System Scanner
    3. Click Upload to upload these files one by one
    4. Submit your reply
     
  5. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    I followed the instructions and all went well until I tried to run
    the dss.exe file I downloaded. Tried it three times and it started
    and got the the point where it said: Backing Up Registry Hives
    and then my computer would reboot.

    The icons have reappeared though, which is good. Yet there still may be
    a virus or problem? If you can please let me know why you think the dss.exe
    execution would cause my computer to reboot and if there is anything
    i can do to get it to run as your requested.

    thanks,
    Jeff
     
  6. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    Update,

    I tried the dss.exe again and this time it got
    past the Hives back up but then when it got to
    the Temporary Files I got this message:

    dss.exe has encountered a problem and needs to
    close.

    Error signature
    AppName: dss.exe AppVer 3.2.8.1 ModName dss.dll
    ModVer 0.0.0.0 Offset 00002120

    Exception information
    Code: 0xc000000d
    Flags: 0x00000000
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111 :)

    Download the enclosed folder. Save and extract its contents to the desktop. It is a folder containing a batch file. Once extracted, double click on the RunMe.bat and post the contents of resulting report.

    Download OTScanit.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanit on your desktop. OTScanit can be detected as malware by your firewall and Ativirus. Chose Ignore on any warning alert.
    1. Close any open browsers.
    2. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    3. Now click the Run Scan button on the toolbar.
    4. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    5. When the scan is complete Notepad will open with the report file loaded in it.
    6. Save that notepad file
    Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
     

    Attached Files:

  8. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    Thanks,

    I did these steps and have attached both results files.

    - Jeff
     

    Attached Files:

  9. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111 :)

    You have been running programs from the temporary folders. Nothing should be ran from these. If you need to download and run a program, make sure you run that program from a Permanent folder such as, your desktop.

    Start OTScanit. Copy/Paste the information in the Quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.


    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - Non-Microsoft Only]
    < Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    YN -> Capture Text -> []
    < User Agent Post Platform [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
    YN -> FunWebProducts -> 
    YN -> SU 3.011 -> StumbleUpon Version String
    < Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
    YY -> ic32pp:{BBCA9F81-8F4F-11D2-90FF-0080C83D3571} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\wc98pp.dll[Reg Error: Value  does not exist or could not be read.]
    < Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\
    YN -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/DownloadManagerV2.ocx\\.Owner -> {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1}
    [Files/Folders - Created Within 30 days]
    YY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    [Files/Folders - Modified Within 30 days]
    NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
    NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    NY -> opa11.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\OFFICE\DATA\opa11.dat
    NY -> 16 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp
    NY -> CF06674C-EDA6-48df-B12C-F810984ACF54.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\CF06674C-EDA6-48df-B12C-F810984ACF54.exe
    NY -> dotnetfx3setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\dotnetfx3setup.exe
    NY -> install.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\install.exe
    NY -> JingSetup1.2.5.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\JingSetup1.2.5.exe
    NY -> msgup810_249_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_249_us.exe
    NY -> msgup810_401_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_401_us.exe
    NY -> msgup810_421_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup810_421_us.exe
    NY -> msgup_us.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\msgup_us.exe
    NY -> WiseUpdX.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\WiseUpdX.exe
    NY -> ymsgr.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\ymsgr.exe
    NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
    NY -> uninstall.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\uninstall.exe
    NY -> update.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\update.exe
    NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\*.tmp
    NY -> QuickTimeInstaller.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{336C06E7-0219-44AF-8593-E2009E24FCCD}\QuickTimeInstaller.exe
    NY -> Drvldr.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\Drvldr.exe
    NY -> setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\setup.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\sed.exe
    NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\swreg.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\sed.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\sed.exe
    NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\swreg.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\sed.exe
    NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\swreg.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\sed.exe
    NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\swreg.exe
    NY -> md5deep.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\md5deep.exe
    NY -> sed.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\sed.exe
    NY -> swreg.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\swreg.exe
    NY -> INVISUSSpywareScan.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\is-MCQER.tmp\INVISUSSpywareScan.exe
    NY -> SetupX.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\SetupX.exe
    NY -> 50comupd.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\50comupd.exe
    NY -> instmsia.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\instmsia.exe
    NY -> instmsiw.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\instmsiw.exe
    NY -> ShFolder.Exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\ShFolder.Exe
    NY -> NeroDelTmp.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\NeroDelTmp.exe
    NY -> UninstallNero.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\UninstallNero.exe
    NY -> Secret Crystals and Gemstones Vol I eBook.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe
    NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 1 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe:Zone.Identifier
    NY -> Setup.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for sothink-free-menu-builder.zip\Disk1\Setup.exe
    NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 1 for sothink-free-menu-builder.zip\Disk1\Setup.exe:Zone.Identifier
    NY -> Secret Crystals and Gemstones Vol I eBook.exe -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe
    NY -> @Alternate Data Stream - 0 bytes -> %UserProfile%\Local Settings\Temp\Temporary Directory 2 for Secret_Crystals_and_Gemstones_Vol_I_eBook.zip\Secret Crystals and Gemstones Vol I eBook.exe:Zone.Identifier
    NY -> AcsInstall.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AcsInstall.dll
    NY -> AOLFirewallMgr.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLFirewallMgr.dll
    NY -> AOLInstallerfw.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLInstallerfw.dll
    NY -> insmac2k.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\insmac2k.dll
    NY -> instph.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\instph.dll
    NY -> QTInstallerHelper.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\QTInstallerHelper.dll
    NY -> SHFOLDER.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\SHFOLDER.DLL
    NY -> uninst.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\uninst.dll
    NY -> ywiseext.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\ywiseext.dll
    NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
    NY -> 5596adc.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\5596adc.DLL
    NY -> Adobeisf.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\Adobeisf.dll
    NY -> Adobeupd.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\Adobeupd.dll
    NY -> patchw32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\patchw32.dll
    NY -> CondMgr.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\{45BA7145-64B0-4B5D-BDC2-40E20FCDC6DC}\CondMgr.dll
    NY -> HSAPI.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\{45BA7145-64B0-4B5D-BDC2-40E20FCDC6DC}\HSAPI.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~aidlpks.tmp\dss.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~dykoriw.tmp\dss.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~eijtxmu.tmp\dss.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~fyivshr.tmp\dss.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~mjgjgtc.tmp\dss.dll
    NY -> pncrt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~rnsetup\pncrt.dll
    NY -> pnrs3260.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~rnsetup\pnrs3260.dll
    NY -> dss.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\~smqgbhg.tmp\dss.dll
    NY -> asycfilt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\asycfilt.dll
    NY -> mfc42.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\mfc42.dll
    NY -> msvcirt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcirt.dll
    NY -> msvcp60.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcp60.dll
    NY -> msvcrt.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\msvcrt.dll
    NY -> oleaut32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\oleaut32.dll
    NY -> olepro32.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Redist\MS\System\olepro32.dll
    NY -> APATCH.DLL -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\APATCH.DLL
    NY -> nps.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\nps.dll
    NY -> unrar.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\NeroDemo9598\Setup\unrar.dll
    NY -> AdvrCntr2.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\AdvrCntr2.dll
    NY -> ShellManager.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\ShellManager.dll
    NY -> ShellManager10E2D762.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\ShellManager10E2D762.dll
    NY -> 1 C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\nro.tmp\*.tmp
    NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsi414.tmp\System.dll
    NY -> InetLoad.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\InetLoad.dll
    NY -> InstallOptions.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\InstallOptions.dll
    NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\System.dll
    NY -> UserInfo.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\UserInfo.dll
    NY -> InetLoad.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\InetLoad.dll
    NY -> InstallOptions.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\InstallOptions.dll
    NY -> System.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\System.dll
    NY -> UserInfo.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\UserInfo.dll
    NY -> rhaplog.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\Rhapsody\rhaplog.dll
    NY -> rspov2701.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\RSPSoftware\rspov2701.dll
    NY -> js3250.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\js3250.dll
    NY -> nspr4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\nspr4.dll
    NY -> plc4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\plc4.dll
    NY -> plds4.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\plds4.dll
    NY -> xpcom_compat.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\xpcom_compat.dll
    NY -> xpcom_core.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\xpcom_core.dll
    NY -> jar50.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\jar50.dll
    NY -> jsd3250.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\jsd3250.dll
    NY -> xpinstal.dll -> C:\Documents and Settings\Jeff\Local Settings\Temp\tb_temp\xpcom.ns\bin\components\xpinstal.dll
    NY -> pcp.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\pcp.dat
    NY -> Perflib_Perfdata_1e4.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_1e4.dat
    NY -> Perflib_Perfdata_d08.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_d08.dat
    NY -> Perflib_Perfdata_e9c.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\Perflib_Perfdata_e9c.dat
    NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
    NY -> 1a162918f4e459e3f12678cf55c8c460.dat -> C:\Documents and Settings\Jeff\Local Settings\Temp\{257079CA-2FFD-4C92-A1B5-3AE466ECEF22}\cache\1a162918f4e459e3f12678cf55c8c460.dat
    NY -> 4194-1~3.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\4194-1~3.ini
    NY -> addonsb.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\addonsb.ini
    NY -> AOLFirewallMgr.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\AOLFirewallMgr.ini
    NY -> aolsetup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\aolsetup.ini
    NY -> Dll_.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Dll_.ini
    NY -> setup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\setup.ini
    NY -> {AC76BA86-1033-F400-7760-000000000003}.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{AC76BA86-1033-F400-7760-000000000003}.ini
    NY -> 4023 C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\*.tmp
    NY -> AdobeIns.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\_ISTMP1.DIR\_ISTMP1.DIR\AdobeIns.ini
    NY -> 0x0409.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\0x0409.ini
    NY -> Setup.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\{D0B62912-F69C-4F35-BAC6-8460F7DF6C3C}\{BBBCAE4B-B416-4182-A6F2-438180894A81}\Roxio\Setup.ini
    NY -> vtipres.INI -> C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\vtipres.INI
    NY -> 106 C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\FrontPageTempDir\*.tmp
    NY -> ioSpecial.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsvD74.tmp\ioSpecial.ini
    NY -> ioSpecial.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\nsxD70.tmp\ioSpecial.ini
    NY -> z-BornRich.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 1 for bornrich.zip\z-BornRich.ini
    NY -> z-BornRich.ini -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Directory 2 for bornrich.zip\z-BornRich.ini
    NY -> 1 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.tmp
    NY -> 57 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.tmp
    NY -> 54 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.tmp
    NY -> 6 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.tmp
    NY -> 80 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AXO769M9\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AXO769M9\*.tmp
    NY -> 23 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.tmp
    NY -> 13 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.tmp
    NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.tmp
    NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.tmp
    NY -> 18 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.tmp
    NY -> 7 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.tmp
    NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.tmp
    NY -> 3 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.tmp
    NY -> 66 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.tmp
    NY -> 15 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.tmp
    NY -> 16 C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp files -> C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.tmp
    NY -> capture.exe -> C:\WINDOWS\Temp\capture.exe
    NY -> ~GL_1476.EXE -> C:\WINDOWS\Temp\~GL_1476.EXE
    NY -> 97 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    NY -> saver.dll -> C:\WINDOWS\Temp\saver.dll
    NY -> 97 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    [Extra Files]
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\0HMRGLQJ\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\1V7FH1KU\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\8PIV8D2N\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\AJEBIHUB\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\DZIPVR1T\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\EDELOXGZ\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\GDE3STU3\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\HBNZ2FLN\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N0YFAG1Y\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\N8H5F08C\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHYRO9YN\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLW56NK1\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\Q7GTADSR\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\S54JW3SJ\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\SNH3A2FP\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\UOD5RRZN\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\W5U3CP6B\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\YX523QLS\*.*
    C:\Documents and Settings\Jeff\Local Settings\Temp\Temporary Internet Files\Content.IE5\ZD8DN9NW\*.*
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
    

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTScanit scan.

    I will review the information when it comes back in.

    Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
     
  10. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    It looks to me like the Otscanit program is in my desktop folder, so I am not sure how I am running them from a temporary folder.

    C:\Documents and Settings\Jeff\Desktop\OTScanIt

    But I Ran this as you suggested and:

    1. Did not see a box pop up saying it was finished, a box popped up saying it
    needed to reboot the computer to finish moving files.

    2. I clicked Ok and it rebooted fine.

    Not sure what files to include but I have attached one of two log files I see in a folder called Moved Files. The second one will not attach as it is probably too big, it is
    2.45 MB (2,574,956 bytes) and called 04192008_211146.log


    I also included the Otscanit.txt file even though that seems to be time stamped this afternoon.

    I hope I did this correctly, please let me know if I need to rerun it or something?

    I appreciate all the help you have given so far, - Jeff
     

    Attached Files:

  11. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    The OTScanIt report is the same report submitted earlier. Please re-scan with OTScanIt and post a fresh report.
     
  12. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    I re-scanned with OTScanIt and have attached
    the fresh report.

    Thank you.
     

    Attached Files:

  13. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111 :)

    It looks much better.

    Please do an online scan with Kaspersky WebScanner (Use internet Explorer)

    Click on Accept

    You will be promted to install an ActiveX component from Kaspersky, Click Yes.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will program will start and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.
     
  14. jeff1111

    jeff1111 Thread Starter

    Joined:
    Apr 18, 2008
    Messages:
    38
    The scan ran for about 20 minutes and the screen/compute froze up.
    I had to reboot to do anything.

    Will try it again and post if it runs through.

    Update, I did have the browseui.dll file corrupted again this morning (no icons on desktop) and they returned after I corrected that file.

    Computer has rebooted itself twice (this has happened in the past as well) for no apparent reason.

    Again, many thanks for your continued help with this. - Jeff
     
  15. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, jeff1111 :)

    Try DSS.exe once again, if the issue persists, please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
        -----------------------------------------------------------​
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      -----------------------------------------------------------​
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/705003

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice