Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Daily-search


  • This topic is locked This topic is locked
7 replies to this topic

#1 griffo

griffo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 November 2007 - 12:39 AM

Sorry for previously incorrect post. Hope this is better.

I have daily-search on my computer. Successfully completed the preparatory items. Noticed the following:

when using cleanmgr there was an item showing called 'web client publisher temp files' 32kb. This was unchecked and as it was not mentioned i left it unchecked [FYI]

Couldn't see the auto clean option in stinger. repair was checked in preferences.

Am getting popups in the system tray with yellow triangle saying various things like 'Undesirable videos on hard drive fix now' and other stuff. Is this related to daily-search or another (god forbid) issue?

Here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:23:34, on 08/11/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 203.36.91.207 pbs
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {130176B2-A242-4E13-8081-C99CA09C0CCF} - C:\WINDOWS\system32\dhcpmone.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O2 - BHO: (no name) - {9D615CCF-4419-4FF5-9913-118B4DCB7281} - c:\windows\system32\dmutils.dll (file missing)
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\Brian\LOCALS~1\Temp\{99603993-8252-49A5-A801-711ECB05ED52}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194497617234
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708B} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/DIGITALDM2.cab
O20 - Winlogon Notify: jatrbnen - dmutils.dll (file missing)
O20 - Winlogon Notify: tt - C:\WINDOWS\
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4980 bytes

Thanks for your help

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 08 November 2007 - 08:17 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum griffo :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
*Note*
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 griffo

griffo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 November 2007 - 03:10 PM

Hi Richie

and thanks for being a knight in shining armour. If i were a girl i'd be swooning at your feet. Just as well for both of us I'm not!

Couple of things during the process. During the sdfix process the window comes up with 'checking files' and eventually the last line reads 100% checked and the cursor is flashing underneath. They warn you that the process will take up to 10 minutes but it would have been closer to 30 minutes before it moved on, and i was thinking it had hung, especially since it had 100% checked showing. Might be worth including a warning to users.

Also after combofix had run and rebooted and while it was creating its logfile a message came up that said 'sed.cfexe has encountered a problem and needs to close. Sorry for the inconvenience etc.'

Here is the sdfix logfile


SDFix: Version 1.114

Run by Brian on 09/11/07 at 04:31

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 05:18:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\CashRegister\\Cash.exe"="C:\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Beauty & Things\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Beauty & Things\\CashRegister\\Cash.exe:*:Enabled:Cash"
"E:\\Beauty & things\\CashRegister\\Cash.exe"="E:\\Beauty & things\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\Brian\\Desktop\\Stuff\\Rox\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\Brian\\Desktop\\Stuff\\Rox\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\All Users\\Desktop\\Brian's Stuff\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\All Users\\Desktop\\Brian's Stuff\\CashRegister\\Cash.exe:*:Enabled:Cash"
"E:\\NV\\CashRegister\\Cash.exe"="E:\\NV\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\Brian\\Desktop\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\Brian\\Desktop\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Rox Hair\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Rox Hair\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Beauty & Things\\EasyCashBackup_Friday\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\All Users\\Desktop\\Brian's Business Stuff\\Salon EasyCash\\Client Folders\\Beauty & Things\\EasyCashBackup_Friday\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Disabled:MSN Messenger 7.5"
"C:\\Program Files\\QuickTime\\QuickTimePlayer.exe"="C:\\Program Files\\QuickTime\\QuickTimePlayer.exe:*:Disabled:QuickTime Player"
"C:\\Documents and Settings\\Brian\\Desktop\\CashRegister\\CashRegister\\Cash.exe"="C:\\Documents and Settings\\Brian\\Desktop\\CashRegister\\CashRegister\\Cash.exe:*:Enabled:Cash"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.5"

Remaining Files:
---------------


Files with Hidden Attributes:

Sun 22 Jan 2006 4,027,936 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 16 Oct 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Tue 23 Jan 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Thu 13 Dec 2001 20,480 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Stuff\Marketing\~WRL0967.tmp"
Sun 22 Feb 2004 768,000 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Balance Hair\~WRL0004.tmp"
Sat 16 Oct 2004 21,504 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Stories 'n' Things\~WRL2422.tmp"
Tue 27 Feb 2007 82,944 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Templates\~WRL1160.tmp"
Mon 18 Jul 2005 64,512 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Templates\~WRL1307.tmp"
Thu 25 Jan 2007 65,536 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Templates\~WRL1601.tmp"
Fri 23 Feb 2007 82,944 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Templates\~WRL2581.tmp"
Fri 17 Mar 2006 77,824 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0021.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0105.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0190.tmp"
Sun 7 Oct 2007 41,984 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0307.tmp"
Fri 17 Mar 2006 72,704 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0375.tmp"
Thu 2 Feb 2006 47,616 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0460.tmp"
Fri 20 Jul 2007 88,576 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0604.tmp"
Thu 2 Feb 2006 52,736 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0624.tmp"
Thu 2 Feb 2006 55,808 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0662.tmp"
Thu 2 Feb 2006 47,104 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0670.tmp"
Thu 2 Feb 2006 47,616 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0709.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0719.tmp"
Fri 17 Mar 2006 77,824 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0838.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0841.tmp"
Thu 2 Feb 2006 56,832 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0851.tmp"
Mon 9 Jan 2006 110,080 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL0891.tmp"
Thu 2 Feb 2006 55,296 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1028.tmp"
Sun 7 Oct 2007 49,664 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1035.tmp"
Thu 2 Feb 2006 55,808 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1074.tmp"
Thu 2 Feb 2006 47,616 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1075.tmp"
Thu 2 Feb 2006 39,424 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1114.tmp"
Mon 9 Jan 2006 114,176 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1142.tmp"
Fri 17 Mar 2006 75,264 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1159.tmp"
Fri 17 Mar 2006 76,800 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1229.tmp"
Mon 6 Feb 2006 87,040 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1236.tmp"
Thu 2 Feb 2006 52,736 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1328.tmp"
Mon 9 Jan 2006 110,080 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1428.tmp"
Thu 2 Feb 2006 55,808 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1478.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1565.tmp"
Thu 2 Feb 2006 45,056 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1572.tmp"
Thu 2 Feb 2006 47,616 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1640.tmp"
Sun 7 Oct 2007 43,520 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1793.tmp"
Fri 17 Mar 2006 77,824 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1801.tmp"
Fri 17 Mar 2006 77,824 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1808.tmp"
Thu 2 Feb 2006 45,056 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1920.tmp"
Mon 9 Jan 2006 109,056 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL1968.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2006.tmp"
Fri 17 Mar 2006 76,800 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2047.tmp"
Thu 2 Feb 2006 54,784 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2060.tmp"
Mon 9 Jan 2006 109,056 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2082.tmp"
Fri 17 Mar 2006 76,288 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2103.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2142.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2233.tmp"
Sun 7 Oct 2007 51,712 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2408.tmp"
Fri 17 Mar 2006 72,704 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2418.tmp"
Thu 2 Feb 2006 44,032 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2429.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2436.tmp"
Thu 2 Feb 2006 41,984 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2536.tmp"
Thu 2 Feb 2006 55,808 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2576.tmp"
Sun 7 Oct 2007 56,320 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2620.tmp"
Fri 17 Mar 2006 76,800 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2622.tmp"
Mon 9 Jan 2006 114,176 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2668.tmp"
Mon 9 Jan 2006 110,080 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2680.tmp"
Fri 17 Mar 2006 76,288 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2831.tmp"
Mon 9 Jan 2006 110,080 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2835.tmp"
Mon 23 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2840.tmp"
Thu 2 Feb 2006 50,176 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2926.tmp"
Mon 23 Apr 2007 19,456 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL2988.tmp"
Sun 7 Oct 2007 47,104 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3169.tmp"
Fri 17 Mar 2006 76,288 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3296.tmp"
Mon 9 Jan 2006 110,080 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3325.tmp"
Thu 2 Feb 2006 55,296 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3390.tmp"
Fri 17 Mar 2006 76,800 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3428.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3521.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3549.tmp"
Thu 2 Feb 2006 39,424 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3672.tmp"
Mon 9 Jan 2006 109,568 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3715.tmp"
Fri 17 Mar 2006 75,264 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3741.tmp"
Mon 9 Jan 2006 115,712 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3756.tmp"
Sun 7 Oct 2007 37,888 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3764.tmp"
Thu 2 Feb 2006 48,640 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3783.tmp"
Thu 2 Feb 2006 55,296 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3784.tmp"
Thu 2 Feb 2006 54,784 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3805.tmp"
Thu 2 Feb 2006 44,544 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3817.tmp"
Fri 17 Mar 2006 76,288 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3939.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL3959.tmp"
Fri 17 Mar 2006 75,776 ...H. --- "C:\Documents and Settings\Brian\Application Data\Microsoft\Word\~WRL4022.tmp"
Mon 23 Apr 2007 19,968 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Black Duck Marketing\WEB PAYMENT FILE\~WRL2618.tmp"
Wed 24 Aug 2005 254,976 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Admin\~WRL0254.tmp"
Mon 29 Aug 2005 25,088 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Audio User Guide\~WRL0795.tmp"
Tue 23 Aug 2005 25,088 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Audio User Guide\~WRL2787.tmp"
Wed 22 Sep 2004 69,120 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\User Manual\~WRL1085.tmp"
Sun 27 Jun 2004 67,072 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\User Manual\~WRL4029.tmp"
Thu 31 May 2007 66,048 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\LISA EZZY\~WRL3827.tmp"
Wed 24 Oct 2007 32,256 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\Debbie\~WRL0210.tmp"
Fri 28 Sep 2007 28,160 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\Debbie\~WRL2938.tmp"
Mon 24 Sep 2007 30,720 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\Debbie\~WRL3404.tmp"
Sun 22 May 2005 317,440 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Superceded Forms & Documents\Beauty Business Assessment with PP Logo\~WRL2526.tmp"
Sun 1 Apr 2007 32,768 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Black Duck Marketing\WEBSITE\FINAL DOCS WEB CONTENT\~WRL0931.tmp"
Tue 22 May 2007 19,456 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Black Duck Marketing\WEBSITE\Temp storage\~WRL1248.tmp"
Tue 19 Jun 2007 49,664 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Client Folders\Coco Mousse\~WRL0905.tmp"
Tue 19 Jun 2007 28,672 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Client Folders\Coco Mousse\~WRL3505.tmp"
Fri 28 Sep 2007 30,208 ...H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Business Stuff\Salon EasyCash\Client Folders\Lewis Salon\~WRL1059.tmp"
Tue 7 Jan 2003 288,256 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY CLIENTS 2005\~WRL0139.tmp"
Fri 7 Oct 2005 22,528 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY CLIENTS 2005\~WRL2504.tmp"
Tue 7 Jun 2005 109,056 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Superceded Forms & Documents\KITS & RESOURCES - HAIR OLD\Marketing Kit - HAIR\~WRL2905.tmp"
Tue 22 Mar 2005 49,152 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Superceded Forms & Documents\KITS & RESOURCES - HAIR OLD\Training Kit - HAIR\~WRL0004.tmp"
Tue 4 Feb 2003 21,504 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Adverts PP\~WRL4000.tmp"
Wed 15 Mar 2006 26,112 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Marketing Resources Beauty\~WRL2785.tmp"
Wed 15 Mar 2006 29,696 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Marketing Resources Beauty\~WRL3609.tmp"
Wed 15 Mar 2006 30,720 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Marketing Resources Beauty\~WRL3719.tmp"
Wed 21 Mar 2007 3,470,848 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Stuff\CLIENT FOLDERS - Hair\CURRENT CLIENTS\Shiralee Trimby\POLICIES & PROCEDURES MANUAL for Shoals\~WRL1804.tmp"
Tue 3 May 2005 156,160 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\BEAUTY Goal Management Kit\~WRL0092.tmp"
Wed 13 Apr 2005 173,056 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\BEAUTY Goal Management Kit\~WRL2313.tmp"
Tue 3 May 2005 158,208 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\BEAUTY Goal Management Kit\~WRL3421.tmp"
Tue 26 Apr 2005 670,208 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\BEAUTY Goal Management Kit\~WRL3715.tmp"
Tue 3 May 2005 156,160 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\Goal Management Kit BEAUTY\~WRL0092.tmp"
Wed 13 Apr 2005 173,056 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\Goal Management Kit BEAUTY\~WRL2313.tmp"
Tue 3 May 2005 158,208 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\Goal Management Kit BEAUTY\~WRL3421.tmp"
Tue 26 Apr 2005 670,208 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\BEAUTY\BEAUTY KITS & RESOURCES 2005\Goal Management Kit BEAUTY\~WRL3715.tmp"
Wed 10 Aug 2005 56,320 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\COACHES\MARO\Maro\~WRL3997.tmp"
Tue 11 Feb 2003 19,968 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Salon Advantage\Client Folders SA\Existing Clients\Gayle's Hair Design\~WRL0507.tmp"
Wed 31 Oct 2007 26,624 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\DAILY REVIEW\DAILY 2007\CATH\~WRL0185.tmp"
Wed 31 Oct 2007 27,136 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\DAILY REVIEW\DAILY 2007\CATH\~WRL0383.tmp"
Wed 31 Oct 2007 27,136 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\Skels & Stuff\DAILY REVIEW\DAILY 2007\CATH\~WRL0805.tmp"
Wed 28 Sep 2005 19,456 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\PREVIOUS CLIENTS\John Banfield\~WRL3853.tmp"
Wed 28 Sep 2005 19,456 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\FORMS AND TEMPLATES\CLIENT FOLDERS - Hair\John Banfield\~WRL3853.tmp"
Tue 25 Oct 2005 58,880 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\MARKETING - Hair\BUSINESS AND MARKETING TIPS\2005 HAIR Tips\~WRL3827.tmp"
Sun 25 May 2003 339,968 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\ALPHA - H\~WRL3047.tmp"
Sun 25 May 2003 312,320 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\ALPHA - H\~WRL3696.tmp"
Tue 24 Jun 2003 1,020,416 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\THALGO\~WRL1722.tmp"
Sat 19 Mar 2005 21,504 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\Feminique\~WRL0474.tmp"
Mon 21 Mar 2005 23,040 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\Feminique\~WRL1945.tmp"
Sun 29 May 2005 302,080 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\John and Aide\~WRL2245.tmp"
Sun 29 May 2005 299,520 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\John and Aide\~WRL2495.tmp"
Fri 31 May 2002 19,456 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\Morgensterns\~WRL1905.tmp"
Fri 31 May 2002 19,456 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\Morgensterns\~WRL3773.tmp"
Sat 14 May 2005 299,520 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Previous Clients PP\Nicole Murphy\~WRL0282.tmp"
Mon 5 Apr 2004 29,184 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\TRAINING - Beauty\Training Reviewed\Handouts Various PP\~WRL0001.tmp"
Thu 13 Jun 2002 290,816 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\TRAINING - Beauty\Training Reviewed\Handouts Various PP\~WRL3819.tmp"
Wed 7 Nov 2007 19,968 A..H. --- "C:\Documents and Settings\All Users\Desktop\Brian's Stuff\CLIENT FOLDERS - Hair\CURRENT CLIENTS\SERVICE SKILLS\Australian Hairdressing Council Working Group\CONFERENCE CALLS\~WRL3110.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\COACHES\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES HAIR - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\COACHES\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES - BEAUTY - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\COACHES\COACHES KIT 2006 - HAIR\Sandy Chong - COACHES RESOURCE DISK\COVER PAGES - BEAUTY -Sandy Chong\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES HAIR - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES - BEAUTY - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\COACHES KIT 2006 - HAIR\Sandy Chong - COACHES RESOURCE DISK\COVER PAGES - BEAUTY -Sandy Chong\~WRL0003.tmp"
Fri 21 Sep 2007 161,792 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\CURRENT CLIENTS old\Demitri Lecatsas\POLICIES & PROCEDURES MANUAL\~WRL0635.tmp"
Wed 21 Mar 2007 3,470,848 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\CURRENT CLIENTS old\Shiralee Trimby\POLICIES & PROCEDURES MANUAL for Shoals\~WRL1804.tmp"
Wed 21 Mar 2007 3,470,848 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\CURRENT CLIENTS\Shiralee Trimby\POLICIES & PROCEDURES MANUAL for Shoals\~WRL1804.tmp"
Fri 1 Jun 2007 104,960 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\MARKETING - Hair\BUSINESS AND MARKETING TIPS\2007 HAIR\June 2007\~WRL0447.tmp"
Fri 28 Sep 2007 19,968 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\MARKETING - Hair\BUSINESS AND MARKETING TIPS\2007 HAIR\Spare tips\~WRL0610.tmp"
Tue 26 Jul 2005 24,064 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\ALPHA - H\2005 WORKSHOPS\~WRL0079.tmp"
Fri 7 Oct 2005 61,440 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\ALPHA - H\2005 WORKSHOPS\~WRL2858.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\KITS - 2006 HAIR\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES HAIR - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\KITS - 2006 HAIR\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES - BEAUTY - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\KITS - 2006 HAIR\COACHES KIT 2006 - HAIR\Sandy Chong - COACHES RESOURCE DISK\COVER PAGES - BEAUTY -Sandy Chong\~WRL0003.tmp"
Wed 3 Jan 2007 34,304 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\STUFF 2006\VERSION 4\TRAINING KIT\MANAGEMENT\~WRL3026.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES KIT AND INFO\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES HAIR - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES KIT AND INFO\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES - BEAUTY - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES KIT AND INFO\COACHES KIT 2006 - HAIR\Sandy Chong - COACHES RESOURCE DISK\COVER PAGES - BEAUTY -Sandy Chong\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES INFO\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES HAIR - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES INFO\COACHES KIT 2006 - HAIR\Di Ford - COACHES RESOURCE DISK\COVER PAGES - BEAUTY - Di Ford\~WRL0003.tmp"
Tue 7 Jun 2005 22,016 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\COACHES\2006 COACHES INFORMATION\2006 COACHES INFO\COACHES KIT 2006 - HAIR\Sandy Chong - COACHES RESOURCE DISK\COVER PAGES - BEAUTY -Sandy Chong\~WRL0003.tmp"
Wed 7 Nov 2007 19,968 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\CURRENT CLIENTS\SERVICE SKILLS\Australian Hairdressing Council Working Group\CONFERENCE CALLS\~WRL3110.tmp"
Wed 31 Aug 2005 58,368 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\PIER AUGE\2005 WORKSHOPS\New Zealand SEPTEMBER 2005\~WRL0819.tmp"
Wed 28 Sep 2005 23,552 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Breakfast Functions and Workshops PP\2005 FUNCTIONS\REGATTA BNE 18.10.05\PAYMENT DETAILS FOR KELLIE\~WRL1632.tmp"
Tue 4 Oct 2005 132,608 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\Breakfast Functions and Workshops PP\2005 FUNCTIONS\REGATTA BNE 18.10.05\PAYMENT DETAILS FOR KELLIE\~WRL2216.tmp"
Tue 14 Mar 2006 44,032 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\~WRL0001.tmp"
Tue 14 Mar 2006 46,080 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\~WRL0002.tmp"
Mon 9 Jan 2006 57,856 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\~WRL0164.tmp"
Wed 8 Mar 2006 44,032 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\MARKETING - Beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\BUSINESS AND MARKETING TIPS - Beauty\2006 tips beauty\~WRL1970.tmp"
Wed 3 Jan 2007 34,304 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\ARCHIVES\HAIR\STUFF 2006\STUFF\VERSION 4\TRAINING KIT\MANAGEMENT\~WRL3026.tmp"
Fri 4 May 2007 76,800 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\CLIENT FOLDERS - Hair\CURRENT CLIENTS old\HAIR EXPO\Hair Expo Kits\MARKETING KIT- HAIR for Hair Expo\Marketing Kit-Hair for Hair Expo\~WRL3551.tmp"
Fri 4 May 2007 76,800 ...H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH HAIR\FORMS AND TEMPLATES\CLIENT FOLDERS - Hair\HAIR EXPO\Hair Expo Kits\MARKETING KIT- HAIR for Hair Expo\Marketing Kit-Hair for Hair Expo\~WRL3551.tmp"
Wed 7 Sep 2005 54,784 A..H. --- "C:\Documents and Settings\All Users\Desktop\Faye's Business Stuff\YOUR COACH BEAUTY\CLIENT FOLDERS - Beauty\Current Clients\PIER AUGE\2005 WORKSHOPS\New Zealand SEPTEMBER 2005\Resources for kits nz\~WRL0023.tmp"

Finished!

Here is the combofix logfile

ComboFix 07-11-08.1 - Brian 2007-11-09 5:42:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.67 [GMT 10:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\crunner
C:\WINDOWS\system32\crunner\Version.txt
C:\WINDOWS\system32\dhcpmone.dll
C:\WINDOWS\system32\dmutils.dll
C:\WINDOWS\system32\drivers\aqmxfzjn.dat
C:\WINDOWS\system32\drivers\pzxdccnb.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_IVUPWVTI
-------\LEGACY_MIDGQDPU
-------\ivupwvti
-------\midgqdpu
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-09 05:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 05:35 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-11-09 04:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-08 15:08 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-11-08 15:07 <DIR> d-------- C:\NVIDIA
2007-11-08 15:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-08 14:54 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-08 13:29 176,160 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-08 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-08 13:21 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-08 13:21 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-08 13:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-08 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-11-08 09:35 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-11-08 09:35 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-11-08 09:35 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-11-08 09:34 <DIR> d-------- C:\Program Files\Panda Security
2007-11-08 09:34 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-11-08 09:03 <DIR> d-------- C:\EasyCashBackup_Thursday
2007-11-07 11:08 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2007-11-07 11:08 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0804.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0412.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0411.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0404.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2007-11-07 11:08 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2007-11-07 10:05 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-11-07 10:05 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-11-07 10:05 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-07 10:05 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-11-07 09:31 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2007-11-07 08:09 359,040 --a------ C:\tcpip.sys
2007-11-06 15:59 359,040 --a------ C:\WINDOWS\system32\TCPIP.SYS
2007-11-06 15:44 7,040 --a------ C:\WINDOWS\system32\ntsim.sys
2007-11-06 09:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 05:10 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-06 05:10 741,632 --a------ C:\WINDOWS\system32\exdmwqmp.dat
2007-11-06 05:10 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-11-06 05:10 120,064 --a------ C:\WINDOWS\system32\lsbvzzru.dat
2007-11-06 05:10 41,728 --a------ C:\WINDOWS\system32\gwpmdnnx.dat
2007-11-06 05:10 36,096 --a------ C:\WINDOWS\system32\rktjnrtd.dat
2007-11-06 05:04 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-05 06:31 <DIR> d-------- C:\EasyCashBackup_Monday
2007-11-02 09:08 <DIR> d-------- C:\EasyCashBackup_Friday
2007-10-31 04:09 <DIR> d-------- C:\EasyCashBackup_Wednesday
2007-10-30 06:27 <DIR> d-------- C:\EasyCashBackup_Tuesday
2007-10-25 14:46 <DIR> d--h----- C:\Program Files\Zenographics
2007-10-25 14:46 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-25 14:46 442,368 -ra------ C:\WINDOWS\system32\zshp1020.exe
2007-10-25 14:46 143,360 -ra------ C:\WINDOWS\apptune1020.exe
2007-10-25 14:46 106,496 -ra------ C:\WINDOWS\system32\vshp1020.dll
2007-10-25 14:46 102,400 -ra------ C:\WINDOWS\system32\ZLhp1020.dll
2007-10-25 14:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL
2007-10-25 14:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll
2007-10-25 14:46 28,672 -ra------ C:\WINDOWS\system32\IMF32.DLL
2007-10-25 14:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL
2007-10-16 07:02 <DIR> d-------- C:\CashRegisterlotus
2007-10-15 06:29 <DIR> d-------- C:\EasyCashSecBackup
2007-10-14 11:02 <DIR> d-------- C:\EasyCashBackup_Sunday

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 19:49 3,116 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 20:12 --------- d-----w C:\Program Files\FinePixViewer
2007-09-29 23:08 --------- d-----w C:\Documents and Settings\Brian\Application Data\FUJIFILM
2007-09-29 23:00 --------- d-----w C:\Program Files\PIXELA
2007-09-29 22:56 --------- d-----w C:\Program Files\REGSHAVE
2007-09-17 19:26 --------- d-----w C:\Program Files\QuickTime
2007-09-16 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-06 06:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2006-05-06 11:58]
"EssSpkPhone"="essspk.exe" [2001-10-19 12:49 C:\WINDOWS\essspk.exe]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoSizer"="C:\Program Files\AutoSizer\AutoSizer.exe" [2007-06-26 16:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v1]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Vsp;Vsp;\??\C:\WINDOWS\system32\drivers\Vsp.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 03:30:23 C:\WINDOWS\Tasks\At1.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 05:52:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 5:57:04 - machine was rebooted
.
--- E O F ---

and the latest HJT logfile

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:58:44, on 09/11/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194497617234
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708B} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/DIGITALDM2.cab
O20 - Winlogon Notify: tt - C:\WINDOWS\
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4487 bytes

Thanks again Richie

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 08 November 2007 - 04:00 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\exdmwqmp.dat
C:\WINDOWS\system32\lsbvzzru.dat
C:\WINDOWS\system32\gwpmdnnx.dat
C:\WINDOWS\system32\rktjnrtd.dat
C:\WINDOWS\Tasks\At1.job
Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tt]

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 griffo

griffo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 November 2007 - 04:38 PM

here is the combofix log:

ComboFix 07-11-08.1 - Brian 2007-11-09 7:20:28.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.62 [GMT 10:00]
Running from: C:\Documents and Settings\Brian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\exdmwqmp.dat
C:\WINDOWS\system32\gwpmdnnx.dat
C:\WINDOWS\system32\lsbvzzru.dat
C:\WINDOWS\system32\rktjnrtd.dat
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\exdmwqmp.dat
C:\WINDOWS\system32\gwpmdnnx.dat
C:\WINDOWS\system32\lsbvzzru.dat
C:\WINDOWS\system32\rktjnrtd.dat
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-09 05:40 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-09 05:35 15,416 --------- C:\WINDOWS\system32\drivers\sdthook.sys
2007-11-09 04:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-08 15:08 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-11-08 15:07 <DIR> d-------- C:\NVIDIA
2007-11-08 15:00 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-11-08 14:54 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2007-11-08 13:29 219,168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-08 13:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-08 13:21 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-08 13:21 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-11-08 13:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-08 09:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-11-08 09:35 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-11-08 09:35 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-11-08 09:35 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-11-08 09:34 <DIR> d-------- C:\Program Files\Panda Security
2007-11-08 09:34 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-11-08 09:03 <DIR> d-------- C:\EasyCashBackup_Thursday
2007-11-07 11:08 331,264 --a--c--- C:\WINDOWS\system32\dllcache\aqueue.dll
2007-11-07 11:08 45,056 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_aqadmin.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0804.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0412.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0411.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt040d.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0404.dll
2007-11-07 11:08 19,456 --a--c--- C:\WINDOWS\system32\dllcache\agt0401.dll
2007-11-07 11:08 5,632 --a--c--- C:\WINDOWS\system32\dllcache\EXCH_adsiisex.dll
2007-11-07 10:05 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2007-11-07 10:05 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2007-11-07 10:05 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2007-11-07 10:05 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2007-11-07 09:31 <DIR> d-------- C:\Program Files\XP TCPIP Repair
2007-11-07 08:09 359,040 --a------ C:\tcpip.sys
2007-11-06 15:59 359,040 --a------ C:\WINDOWS\system32\TCPIP.SYS
2007-11-06 15:44 7,040 --a------ C:\WINDOWS\system32\ntsim.sys
2007-11-06 09:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-06 05:10 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-11-06 05:10 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-11-06 05:04 <DIR> d-------- C:\WINDOWS\system32\AppCert
2007-11-05 06:31 <DIR> d-------- C:\EasyCashBackup_Monday
2007-11-02 09:08 <DIR> d-------- C:\EasyCashBackup_Friday
2007-10-31 04:09 <DIR> d-------- C:\EasyCashBackup_Wednesday
2007-10-30 06:27 <DIR> d-------- C:\EasyCashBackup_Tuesday
2007-10-25 14:46 <DIR> d--h----- C:\Program Files\Zenographics
2007-10-25 14:46 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-10-25 14:46 442,368 -ra------ C:\WINDOWS\system32\zshp1020.exe
2007-10-25 14:46 143,360 -ra------ C:\WINDOWS\apptune1020.exe
2007-10-25 14:46 106,496 -ra------ C:\WINDOWS\system32\vshp1020.dll
2007-10-25 14:46 102,400 -ra------ C:\WINDOWS\system32\ZLhp1020.dll
2007-10-25 14:46 86,016 -ra------ C:\WINDOWS\system32\ZSPOOL.DLL
2007-10-25 14:46 28,672 -ra------ C:\WINDOWS\system32\zlm.dll
2007-10-25 14:46 28,672 -ra------ C:\WINDOWS\system32\IMF32.DLL
2007-10-25 14:46 24,576 -ra------ C:\WINDOWS\system32\ZTAG32.DLL
2007-10-16 07:02 <DIR> d-------- C:\CashRegisterlotus
2007-10-15 06:29 <DIR> d-------- C:\EasyCashSecBackup
2007-10-14 11:02 <DIR> d-------- C:\EasyCashBackup_Sunday

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 20:13 3,212 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-07 23:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-07 20:12 --------- d-----w C:\Program Files\FinePixViewer
2007-09-29 23:08 --------- d-----w C:\Documents and Settings\Brian\Application Data\FUJIFILM
2007-09-29 23:00 --------- d-----w C:\Program Files\PIXELA
2007-09-29 22:56 --------- d-----w C:\Program Files\REGSHAVE
2007-09-17 19:26 --------- d-----w C:\Program Files\QuickTime
2007-09-16 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-06 06:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bgsmsnd.exe"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe" [2006-05-06 11:58]
"EssSpkPhone"="essspk.exe" [2001-10-19 12:49 C:\WINDOWS\essspk.exe]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AutoSizer"="C:\Program Files\AutoSizer\AutoSizer.exe" [2007-06-26 16:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AudioDeck.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AudioDeck.lnk
backup=C:\WINDOWS\pss\AudioDeck.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher 2.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Exif Launcher 2.lnk
backup=C:\WINDOWS\pss\Exif Launcher 2.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus C45 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB001" /M "Stylus C45"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
C:\Program Files\Free Download Manager\fdm.exe -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pdfFactory Pro Dispatcher v1]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis1.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN

S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Vsp;Vsp;\??\C:\WINDOWS\system32\drivers\Vsp.sys

.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 07:26:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 7:28:07
C:\ComboFix2.txt ... 2007-11-09 05:57
.
--- E O F ---

and the latest HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:36:47, on 09/11/07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AutoSizer\AutoSizer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O3 - Toolbar: pdfMachine - {56CF4856-ECB4-4e46-A897-A378821F97B9} - C:\WINDOWS\system32\bgstb.dll
O4 - HKLM\..\Run: [bgsmsnd.exe] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\bgsmsnd.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [AutoSizer] "C:\Program Files\AutoSizer\AutoSizer.exe"
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O12 - Plugin for .tif: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin7.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqaio/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by112fd.bay112.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1194497617234
O16 - DPF: {F6676623-8BBD-479C-A51B-05868728708B} (DigitalDM) - http://www.digitaldm.com/Plug-in/myebk/DIGITALDM2.cab
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4627 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 08 November 2007 - 04:52 PM

Your log is clean :thumbsup:
If all's ok,please do the following:

Click on Start/Run,copy and paste ComboFix /u into the 'Open:' space,then press Ok.

Posted Image

Please download OTMoveIt by OldTimer:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1

Double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image

#7 griffo

griffo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 08 November 2007 - 05:16 PM

Hi Richie

All done and all fixed. Really appreciate your time. Will read suggested items and attempt to stay clean and go straight from now on.

Cheers

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:05:00 PM

Posted 08 November 2007 - 07:54 PM

You're welcome :thumbsup:

This thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
If you should have a new issue, please start a new topic.
This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users